CVE-2020-24918
Description
A buffer overflow in the RTSP service of the Ambarella Oryx RTSP Server 2020-01-07 allows an unauthenticated attacker to send a crafted RTSP request, with a long digest authentication header, to execute arbitrary code in parse_authentication_header() in libamprotocol-rtsp.so.1 in rtsp_svc (or cause a crash). This allows remote takeover of a Furbo Dog Camera, for example. NOTE: The vendor states that the RTSP library is used for DEMO only, using it in product is a customer's behavior. Ambarella has emphasized that RTSP is DEMO only library, should NOT be used in product in our document. Because Ambarella's SDK is proprietary, we didn't publish our SDK source code in public network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in the Ambarella Oryx RTSP Server allows unauthenticated remote code execution via a crafted RTSP request with a long digest authentication header, affecting Furbo Dog Camera.
Vulnerability
A buffer overflow exists in the parse_authentication_header() function within libamprotocol-rtsp.so.1 of the Ambarella Oryx RTSP Server (version 2020-01-07). The RTSP service uses HTTP digest authentication; a crafted RTSP request with an overly long authentication header can overflow a stack buffer. This vulnerability affects the Furbo Dog Camera, which incorporates the library. [2][4]
Exploitation
An unauthenticated attacker on the same network can send a specially crafted RTSP request to port 554. The request includes a long digest authentication header that triggers a stack buffer overflow in parse_authentication_header(). The attacker can control the overflow data to achieve arbitrary code execution. No prior authentication or user interaction is required. [2]
Impact
Successful exploitation allows remote code execution in the context of the rtsp_svc process. This leads to full compromise of the device, including access to video streams, audio, and other functions. For the Furbo Dog Camera, an attacker can take over the device remotely. [2]
Mitigation
Ambarella states that the RTSP library is intended for DEMO use only and should not be used in production. No official patch has been released. Users should disable the RTSP service if not required. For Furbo devices, check for firmware updates from the manufacturer. The CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of this writing. [4][2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Ambarella/Oryx RTSP Serverdescription
- Range: = 2020-01-07
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in parse_authentication_header() when copying a long digest authentication header into a fixed-size stack buffer, leading to a stack buffer overflow."
Attack vector
An unauthenticated attacker sends a crafted RTSP request containing an overly long digest authentication header to the RTSP service. The `parse_authentication_header()` function in `libamprotocol-rtsp.so.1` copies this attacker-controlled data into a fixed-size stack buffer without bounds checking, causing a stack buffer overflow. This allows the attacker to overwrite the return address and execute arbitrary code, or cause a denial-of-service via crash [ref_id=1].
Affected code
The vulnerability resides in `parse_authentication_header()` within `libamprotocol-rtsp.so.1`, part of the RTSP service (`rtsp_svc`) in the Ambarella Oryx RTSP Server (2020-01-07). The advisory does not provide the full source code or patch files, as Ambarella's SDK is proprietary and not published publicly [ref_id=1].
What the fix does
No patch is published in the bundle. The vendor states that the RTSP library is intended for DEMO use only and should not be used in production products, as documented in their SDK. The advisory does not describe any code-level fix; the vendor's position is that the library's demo nature means customers should not ship it in production devices [ref_id=1].
Preconditions
- networkThe target must be running the Ambarella Oryx RTSP Server (2020-01-07) with the RTSP service exposed on the network.
- authNo authentication is required; the attacker can be unauthenticated.
- inputThe attacker must be able to send a crafted RTSP request with a long digest authentication header to the RTSP service.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.