CVE-2020-24217

Name of the Vulnerable Software and Affected Versions HiSilicon Hi3520D (affected versions not specified)

Description The issue is related to the lack of authentication for a critical function in the HiSilicon Hi3520D chip set's firmware. This can be exploited by a remote attacker to cause a denial of service or execute arbitrary code. Specifically, the file-upload endpoint in the box application on HiSilicon based IPTV/H.264/H.265 video encoders does not enforce authentication, allowing attackers to send an unauthenticated HTTP request to upload a custom firmware component, which can lead to arbitrary code execution.

Recommendations As a temporary workaround, consider disabling the file-upload functionality until a patch is available. Restrict access to the box application on HiSilicon based IPTV/H.264/H.265 video encoders to minimize the risk of exploitation. Avoid using the file-upload endpoint in the affected application until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.