Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment.
In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 video encoders powered by the hi3520d chipset from Huawei's HiSilicon subsidiary. The security holes are present in software, whose developer is unknown, that runs on top of a Linux stack provided by HiSilicon for products using its system-on-chips.
"The vulnerabilities exist in the application software running on these devices," said Kojenov in his post. "All vulnerabilities are exploitable remotely and can lead to sensitive information exposure, denial of service, and remote code execution resulting in full takeover of the device."
The critical flaws include: an administrative interface with a backdoor password (CVE-2020-24215); root access via telnet (CVE-2020-24218); and unauthenticated file upload (CVE-2020-24217), which enables malicious code execution and command injection. All of these can be exploited over the network or internet to hijack vulnerable equipment. Kojenov also flagged vulnerabilities of high and medium severity: a buffer overflow (CVE-2020-24214) that stops the thing from working properly, and a way to access RTSP video streams without authorization (CVE-2020-24216).
Huawei insists the vulnerabilities were not introduced by its HiSilicon chips nor the SDK code it provides to manufacturers that use its components. That would mean someone else provided the makers of these video encoder devices application software riddled with holes, and this code was shipped with the equipment. The products just all happen to use the the hi3520d chipset.
In a statement emailed to The Register and posted online, a Huawei spokesperson said, "Following the media reports about the suspected security issues (CVE-2020-24214, CVE-2020-24215, CVE-2020-24216, CVE-2020-24217, CVE-2020-24218, and CVE-2020-24219) in HiSilicon video surveillance chips on September 16, 2020, Huawei has launched an immediate investigation. After technical analysis, it was confirmed that none of the vulnerabilities were introduced by HiSilicon chips and SDK packages. Huawei is in favor of coordinated vulnerability disclosure by all organizations and individuals in the security research ecosystem to reduce the impact on stakeholders."
After technical analysis, it was confirmed that none of the vulnerabilities were introduced by HiSilicon chips and SDK packages
Huawei said all the vulnerabilities mentioned in the report reside in the application layer provided by the equipment vendors. "These vulnerabilities are not introduced by the chips and SDKs provided by HiSilicon," the Middle Kingdom giant said.
CMU's CERT Coordination Center said the vulnerabilities exist in various network services running on various manufacturers' devices that use HiSilicon's parts, and are the result of software bugs, such as insufficient input validation and hardcoded credentials.
The encoders are used to stream video over IP networks, converting raw video signals to digital video using compression standards like H.264 or H.265 for distribution through a service like YouTube, or to be viewed directly in a web or app-based video player as an RTSP or HLS stream.
Kojenov says he analyzed video encoders from URayTech, J-Tech Digital, and Pro Video Instruments, and found their devices to be vulnerable to some or all of the reported flaws. He also identified several other vendors offering products based on the same system-on-chip, and he believes they may share some or all of the flaws: this includes equipment from Network Technologies Incorporated, Oupree, MINE Technology. Blankom, ISEEVY, Orivison, WorldKast/procoder, and Digicast.
Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?READ MORE
Kojenov said he notified various vendors but only one, Pro Video Instruments, took the notice seriously and responded. Most vendors, he said, have not yet issued a fix for these flaws. And in the absence of a patch, he advises that network admins make sure affected devices are behind a firewall with no externally exposed ports and with rules to block untrusted access.
He was able to find several hundred potentially vulnerable devices using the security-oriented search service shodan.io, and he expects these publicly exposed encoders are all exploitable over the internet.
"While most vulnerabilities seem unintentional (i.e. coding mistakes), one of them stands out," said Kojenov. "The hardcoded password is a deliberate backdoor."
In a message to The Register, he said all the vulnerabilities except for the telnet flaw resided in a single executable program that's part of the software on these devices. "I'm not sure the vendors who build and sell these devices have much control over it," he said. "I don't know if they have the source code for the program or it is distributed in binary form."
Taking Huawei’s representations at face value, we’re left to wonder where in the complicated manufacturing supply chain things went wrong. As Kojenov suggested in his report, most of the flaws appear to be unintentional coding mistakes. The fact that it’s not clear where these problems originated or who’s responsible should be at least as concerning as the specific risks posed by the bugs themselves.
Huawei maintains it wants to work toward better security.
"As an important part of the supply chain of video surveillance devices, HiSilicon is willing to collaborate with downstream equipment vendors and researchers through coordinated response to cyber security risks brought by the vulnerabilities mentioned in the report and protect the interests of end users," the tech goliath concluded. ®