CVE-2020-27539

Name of the Vulnerable Software and Affected Versions: Rostelecom CS-C2SHW version 5.0.082.1

Description: The issue is related to a heap overflow that occurs with full parsing of HTTP responses. This is due to a self-written HTTP parser and builder in the AgentUpdater service, which has a heap buffer overflow (OOB write). By default, the camera only parses responses from HTTPS URLs specified in the config file, making the vulnerable code unreachable without an additional bug to exploit it.

Recommendations: For Rostelecom CS-C2SHW version 5.0.082.1, as a temporary workaround, consider restricting access to the AgentUpdater service to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.