CVE-2020-24219 – CVE-2020-24219 is an unauthenticated path trave... (How to Fix)

📋 TL;DR

CVE-2020-24219 is an unauthenticated path traversal vulnerability in URayTech/HiSilicon video encoders that allows attackers to read any file from the device's file system. This includes configuration files containing administrative passwords in cleartext. Organizations using affected video encoders in security or surveillance systems are at risk.

💻 Affected Systems

Products:

URayTech IPTV/H.264/H.265 video encoders
HiSilicon-based video encoders

Versions: Through version 1.97

Operating Systems: Embedded Linux systems on affected devices

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface of these video encoding devices. No authentication required by default.

📦 What is this software?

Iptv\/h.264 Video Encoder Firmware by Szuray

View all CVEs affecting Iptv\/h.264 Video Encoder Firmware →

Iptv\/h.265 Video Encoder Firmware by Szuray

View all CVEs affecting Iptv\/h.265 Video Encoder Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative access to video encoders, potentially compromising entire surveillance systems, exfiltrating sensitive video footage, or using devices as network pivots.

🟠

Likely Case

Attackers steal administrative credentials and configuration files, enabling unauthorized access to video streams and device management interfaces.

🟢

If Mitigated

Attackers can only enumerate files but cannot access critical systems due to network segmentation and authentication controls.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation allows remote attackers to completely compromise exposed devices.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this, but requires network access to the encoder's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts and detailed technical analysis available. Simple HTTP requests with path traversal payloads can retrieve files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

1. Contact URayTech/HiSilicon for firmware updates
2. If updates unavailable, implement network-level mitigations
3. Consider replacing affected devices with patched alternatives

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to the encoder's management interface (typically port 80/443) to trusted networks only

Web Application Firewall Rules

all

Block path traversal patterns in HTTP requests to the encoder

# Example WAF rule to block ../ patterns
SecRule REQUEST_URI "\.\./" "id:1001,phase:1,deny,status:403,msg:'Path Traversal Attempt'

🧯 If You Can't Patch

Isolate affected encoders in separate VLAN with strict firewall rules
Change administrative passwords and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to encoder: http://<encoder-ip>/../../../../etc/passwd and check if file contents are returned

Check Version:

Check web interface login page or system info page for firmware version (typically displays 1.97 or earlier)

Verify Fix Applied:

Attempt the same path traversal request after mitigations - should receive 403/404 error instead of file contents

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing ../ patterns
Multiple failed authentication attempts after file disclosure
Access to configuration files from unusual IPs

Network Indicators:

HTTP GET requests with excessive ../ sequences
Traffic to encoder management interface from external IPs

SIEM Query:

source="encoder-web.log" AND (uri="*../*" OR uri="*..\\*" OR status=200 AND uri="*/etc/*")

📊 Metadata

CVE ID: CVE-2020-24219

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: October 6, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/159595/HiSilicon-Video-Encoder-1.97-File-Disclosure-Path-Traversal.html Exploit,Third Party Advisory,VDB Entry
https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ Exploit,Third Party Advisory
https://www.kb.cert.org/vuls/id/896979 Third Party Advisory,US Government Resource
http://packetstormsecurity.com/files/159595/HiSilicon-Video-Encoder-1.97-File-Disclosure-Path-Traversal.html Exploit,Third Party Advisory,VDB Entry
https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ Exploit,Third Party Advisory
https://www.kb.cert.org/vuls/id/896979 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24219, you might also want to check these: