Video encoders using Huawei chips have backdoors and bad bugs – and Chinese giant says it's not to blame

Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment.

In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 video encoders powered by the hi3520d chipset from Huawei's HiSilicon subsidiary. The security holes are present in software, whose developer is unknown, that runs on top of a Linux stack provided by HiSilicon for products using its system-on-chips.

"The vulnerabilities exist in the application software running on these devices," said Kojenov in his post. "All vulnerabilities are exploitable remotely and can lead to sensitive information exposure, denial of service, and remote code execution resulting in full takeover of the device."

The critical flaws include: an administrative interface with a backdoor password (CVE-2020-24215); root access via telnet (CVE-2020-24218); and unauthenticated file upload (CVE-2020-24217), which enables malicious code execution and command injection. All of these can be exploited over the network or internet to hijack vulnerable equipment. Kojenov also flagged vulnerabilities of high and medium severity: a buffer overflow (CVE-2020-24214) that stops the thing from working properly, and a way to access RTSP video streams without authorization (CVE-2020-24216).

Huawei insists the vulnerabilities were not introduced by its HiSilicon chips nor the SDK code it provides to manufacturers that use its components. That would mean someone else provided the makers of these video encoder devices application software riddled with holes, and this code was shipped with the equipment. The products just all happen to use the the hi3520d chipset.

In a statement emailed to The Register and posted online, a Huawei spokesperson said, "Following the media reports about the suspected security issues (CVE-2020-24214, CVE-2020-24215, CVE-2020-24216, CVE-2020-24217, CVE-2020-24218, and CVE-2020-24219) in HiSilicon video surveillance chips on September 16, 2020, Huawei has launched an immediate investigation. After technical analysis, it was confirmed that none of the vulnerabilities were introduced by HiSilicon chips and SDK packages. Huawei is in favor of coordinated vulnerability disclosure by all organizations and individuals in the security research ecosystem to reduce the impact on stakeholders."

Huawei said all the vulnerabilities mentioned in the report reside in the application layer provided by the equipment vendors. "These vulnerabilities are not introduced by the chips and SDKs provided by HiSilicon," the Middle Kingdom giant said.

CMU's CERT Coordination Center said the vulnerabilities exist in various network services running on various manufacturers' devices that use HiSilicon's parts, and are the result of software bugs, such as insufficient input validation and hardcoded credentials.

The encoders are used to stream video over IP networks, converting raw video signals to digital video using compression standards like H.264 or H.265 for distribution through a service like YouTube, or to be viewed directly in a web or app-based video player as an RTSP or HLS stream.

Kojenov says he analyzed video encoders from URayTech, J-Tech Digital, and Pro Video Instruments, and found their devices to be vulnerable to some or all of the reported flaws. He also identified several other vendors offering products based on the same system-on-chip, and he believes they may share some or all of the flaws: this includes equipment from Network Technologies Incorporated, Oupree, MINE Technology. Blankom, ISEEVY, Orivison, WorldKast/procoder, and Digicast.

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Kojenov said he notified various vendors but only one, Pro Video Instruments, took the notice seriously and responded. Most ...

Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment.

In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 video encoders powered by the hi3520d chipset from Huawei's HiSilicon subsidiary. The security holes are present in software, whose developer is unknown, that runs on top of a Linux stack provided by HiSilicon for products using its system-on-chips.

"The vulnerabilities exist in the application software running on these devices," said Kojenov in his post. "All vulnerabilities are exploitable remotely and can lead to sensitive information exposure, denial of service, and remote code execution resulting in full takeover of the device."

The critical flaws include: an administrative interface with a backdoor password (CVE-2020-24215); root access via telnet (CVE-2020-24218); and unauthenticated file upload (CVE-2020-24217), which enables malicious code execution and command injection. All of these can be exploited over the network or internet to hijack vulnerable equipment. Kojenov also flagged vulnerabilities of high and medium severity: a buffer overflow (CVE-2020-24214) that stops the thing from working properly, and a way to access RTSP video streams without authorization (CVE-2020-24216).

Huawei insists the vulnerabilities were not introduced by its HiSilicon chips nor the SDK code it provides to manufacturers that use its components. That would mean someone else provided the makers of these video encoder devices application software riddled with holes, and this code was shipped with the equipment. The products just all happen to use the the hi3520d chipset.

In a statement emailed to The Register and posted online, a Huawei spokesperson said, "Following the media reports about the suspected security issues (CVE-2020-24214, CVE-2020-24215, CVE-2020-24216, CVE-2020-24217, CVE-2020-24218, and CVE-2020-24219) in HiSilicon video surveillance chips on September 16, 2020, Huawei has launched an immediate investigation. After technical analysis, it was confirmed that none of the vulnerabilities were introduced by HiSilicon chips and SDK packages. Huawei is in favor of coordinated vulnerability disclosure by all organizations and individuals in the security research ecosystem to reduce the impact on stakeholders."

Huawei said all the vulnerabilities mentioned in the report reside in the application layer provided by the equipment vendors. "These vulnerabilities are not introduced by the chips and SDKs provided by HiSilicon," the Middle Kingdom giant said.

CMU's CERT Coordination Center said the vulnerabilities exist in various network services running on various manufacturers' devices that use HiSilicon's parts, and are the result of software bugs, such as insufficient input validation and hardcoded credentials.

The encoders are used to stream video over IP networks, converting raw video signals to digital video using compression standards like H.264 or H.265 for distribution through a service like YouTube, or to be viewed directly in a web or app-based video player as an RTSP or HLS stream.

Kojenov says he analyzed video encoders from URayTech, J-Tech Digital, and Pro Video Instruments, and found their devices to be vulnerable to some or all of the reported flaws. He also identified several other vendors offering products based on the same system-on-chip, and he believes they may share some or all of the flaws: this includes equipment from Network Technologies Incorporated, Oupree, MINE Technology. Blankom, ISEEVY, Orivison, WorldKast/procoder, and Digicast.

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Kojenov said he notified various vendors but only one, Pro Video Instruments, took the notice seriously and responded. Most ...