cbcvebase.
CVE-2020-24214
published 2020-10-06

CVE-2020-24214: An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can send a crafted unauthenticated RTSP request to…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
35.39%
98.2th percentile
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can send a crafted unauthenticated RTSP request to cause a buffer overflow and application crash. The device will not be able to perform its main purpose of video encoding and streaming for up to a minute, until it automatically reboots. Attackers can send malicious requests once a minute, effectively disabling the device.

Detection & IOCsextracted from sources · hover to see the quote

commandOPTIONS /0 RTSP/1.0\nCSeq: <3000-char oversized string>\n\n
port554
  • Detect oversized RTSP CSeq header values (e.g., 3000+ repeated characters) sent to RTSP servers on HiSilicon-based encoders; a legitimate CSeq is a small integer, not a multi-kilobyte string.
  • Alert on unauthenticated RTSP OPTIONS requests containing an abnormally large CSeq header field, which is the exploit delivery mechanism for this buffer overflow.
  • Monitor HiSilicon-based IPTV/H.264/H.265 video encoder devices for unexpected reboots or loss of RTSP service approximately every 60 seconds, which may indicate repeated exploitation.
  • The exploit uses plain TCP (telnet) to deliver the malformed RTSP payload; inspect raw TCP streams to the RTSP port for OPTIONS requests with CSeq values exceeding normal length bounds.
  • ·The exploit port is user-supplied and not hardcoded; the RTSP service may run on a non-standard port. Detection rules should not be limited to port 554 alone.
  • ·This vulnerability affects multiple vendors' devices built on HiSilicon hardware (URayTech, J-Tech Digital, ProVideoInstruments); the 'box' application is vendor-specific, so version fingerprinting will vary by vendor.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.