CVE-2020-24918 - OpenCVE

A buffer overflow in the RTSP service of the Ambarella Oryx RTSP Server 2020-01-07 allows an unauthenticated attacker to send a crafted RTSP request, with a long digest authentication header, to execute arbitrary code in parse_authentication_header() in libamprotocol-rtsp.so.1 in rtsp_svc (or cause a crash). This allows remote takeover of a Furbo Dog Camera, for example.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Ambarella	Oryx Rtsp Server

Configuration 1 [-]

cpe:2.3:a:ambarella:oryx_rtsp_server:2020-01-07:*:*:*:*:*:*:*

References

Link	Resource
https://somersetrecon.squarespace.com/blog/2021/hacking-the-furbo-part-1	Exploit Third Party Advisory
https://www.ambarella.com	Vendor Advisory
https://www.somersetrecon.com/blog	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-04-30T11:44:02

Updated: 2021-04-30T11:44:02

Reserved: 2020-08-28T00:00:00

Link: CVE-2020-24918

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-04-30T12:15:07.460

Modified: 2021-05-07T14:15:10.947

Link: CVE-2020-24918

JSON object: View

Redhat Information

No data.

CWE

CWE-120

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A buffer overflow in the RTSP service of the Ambarella Oryx RTSP Server 2020-01-07 allows an unauthenticated attacker to send a crafted RTSP request, with a long digest authentication header, to execute arbitrary code in parse_authentication_header() in libamprotocol-rtsp.so.1 in rtsp_svc (or cause a crash). This allows remote takeover of a Furbo Dog Camera, for example."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-04-30T11:44:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.somersetrecon.com/blog"}, {"tags": ["x_refsource_MISC"], "url": "https://www.ambarella.com"}, {"tags": ["x_refsource_MISC"], "url": "https://somersetrecon.squarespace.com/blog/2021/hacking-the-furbo-part-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24918", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A buffer overflow in the RTSP service of the Ambarella Oryx RTSP Server 2020-01-07 allows an unauthenticated attacker to send a crafted RTSP request, with a long digest authentication header, to execute arbitrary code in parse_authentication_header() in libamprotocol-rtsp.so.1 in rtsp_svc (or cause a crash). This allows remote takeover of a Furbo Dog Camera, for example."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.somersetrecon.com/blog", "refsource": "MISC", "url": "https://www.somersetrecon.com/blog"}, {"name": "https://www.ambarella.com", "refsource": "MISC", "url": "https://www.ambarella.com"}, {"name": "https://somersetrecon.squarespace.com/blog/2021/hacking-the-furbo-part-1", "refsource": "MISC", "url": "https://somersetrecon.squarespace.com/blog/2021/hacking-the-furbo-part-1"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24918", "datePublished": "2021-04-30T11:44:02", "dateReserved": "2020-08-28T00:00:00", "dateUpdated": "2021-04-30T11:44:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ambarella:oryx_rtsp_server:2020-01-07:*:*:*:*:*:*:*", "matchCriteriaId": "EEFAFD2B-B21F-4413-ACCA-4371D73E04A1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A buffer overflow in the RTSP service of the Ambarella Oryx RTSP Server 2020-01-07 allows an unauthenticated attacker to send a crafted RTSP request, with a long digest authentication header, to execute arbitrary code in parse_authentication_header() in libamprotocol-rtsp.so.1 in rtsp_svc (or cause a crash). This allows remote takeover of a Furbo Dog Camera, for example."}, {"lang": "es", "value": "Un desbordamiento del b\u00fafer en el servicio RTSP del servidor Ambarella Oryx RTSP versi\u00f3n 07-01-2020, permite a un atacante no autenticado enviar una petici\u00f3n RTSP dise\u00f1ada, con un encabezado de autenticaci\u00f3n de resumen largo, para ejecutar c\u00f3digo arbitrario en la funci\u00f3n parse_authentication_header() en el archivo libamprotocol-rtsp.so.1 en el par\u00e1metro rtsp_svc (o causar un bloqueo). Esto permite la toma de control remota de una Furbo Dog Camera, por ejemplo."}], "id": "CVE-2020-24918", "lastModified": "2021-05-07T14:15:10.947", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-30T12:15:07.460", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://somersetrecon.squarespace.com/blog/2021/hacking-the-furbo-part-1"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.ambarella.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.somersetrecon.com/blog"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}