CVE-2020-24051 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2020-24051?

CVE-2020-24051 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to bypass authentication checks in Moog EXO Series units' ONVIF protocol implementation. Attackers can execute privileged operations like creating new administrator accounts without credentials. This affects Moog EXO Series EXVF5C-2 and EXVP7C2-3 units using ONVIF protocol.

📋 TL;DR

This vulnerability allows unauthenticated attackers to bypass authentication checks in Moog EXO Series units' ONVIF protocol implementation. Attackers can execute privileged operations like creating new administrator accounts without credentials. This affects Moog EXO Series EXVF5C-2 and EXVP7C2-3 units using ONVIF protocol.

💻 Affected Systems

Products:

Moog EXO Series EXVF5C-2
Moog EXO Series EXVP7C2-3

Versions: All versions prior to patched firmware

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects units with ONVIF protocol enabled (typically default). Units must be network-accessible to be exploited.

📦 What is this software?

Exvf5c 2 Firmware by Moog

View all CVEs affecting Exvf5c 2 Firmware →

Exvp7c2 3 Firmware by Moog

View all CVEs affecting Exvp7c2 3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attackers gain administrative control, create persistent backdoors, disable security features, and potentially pivot to other network systems.

🟠

Likely Case

Attackers create unauthorized administrator accounts, modify system configurations, access video feeds, and disable legitimate user access.

🟢

If Mitigated

Limited impact if systems are isolated in secure networks with strict access controls and monitoring, though authentication bypass remains possible.

🌐 Internet-Facing: HIGH - Internet-facing units are directly exploitable without authentication, allowing remote attackers to gain administrative control.

🏢 Internal Only: HIGH - Even internally, any network-accessible unit can be exploited by attackers who gain network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted ONVIF requests. Public details available in IOActive disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Moog for specific patched firmware versions

Vendor Advisory: https://ioactive.com/moog-exo-series-multiple-vulnerabilities/

Restart Required: Yes

Instructions:

1. Contact Moog for latest firmware. 2. Backup configurations. 3. Apply firmware update via management interface. 4. Verify authentication requirements work properly.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Moog EXO units in separate VLANs with strict firewall rules limiting ONVIF access to authorized management systems only.

Disable ONVIF if Unused

all

Disable ONVIF protocol in device settings if not required for operations.

🧯 If You Can't Patch

Implement strict network access controls allowing only trusted IP addresses to communicate with ONVIF ports (typically 80, 443, 8899)
Enable detailed logging for authentication attempts and monitor for unauthorized administrative account creation

🔍 How to Verify

Check if Vulnerable:

Test ONVIF authentication by attempting privileged operations without credentials using tools like ONVIF Device Manager or custom scripts.

Check Version:

Check firmware version via web interface or ONVIF GetSystemDateAndTime request

Verify Fix Applied:

After patching, verify that authentication is required for all ONVIF privileged operations and test authentication bypass attempts fail.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful privileged operations
Unexpected administrator account creation events
ONVIF requests from unauthorized sources

Network Indicators:

ONVIF SOAP requests to privileged endpoints without authentication headers
Traffic to ONVIF ports from unexpected IP addresses

SIEM Query:

source_ip=* AND (dest_port=80 OR dest_port=443 OR dest_port=8899) AND (http_user_agent CONTAINS "ONVIF" OR protocol="ONVIF") AND NOT auth_success=true AND action="privileged_operation"

📊 Metadata

CVE ID: CVE-2020-24051

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: August 21, 2020

Last Updated: November 21, 2024

🔗 References

https://ioac.tv/3hy1xu6 Exploit,Third Party Advisory
https://ioactive.com/moog-exo-series-multiple-vulnerabilities/ Third Party Advisory
https://ioac.tv/3hy1xu6 Exploit,Third Party Advisory
https://ioactive.com/moog-exo-series-multiple-vulnerabilities/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24051, you might also want to check these: