CVE-2024-54847

Vulnerability

The CP Plus CP-VNR-3104 network video recorder running firmware version B3223P22C02424 contains a vulnerability that allows attackers to access the Diffie-Hellman (DH) parameters used in cryptographic operations. This exposure stems from improper handling of DH parameters within the device's firmware. The affected version is B3223P22C02424. [3]

Exploitation

An attacker with network access to the device can retrieve the DH parameters without authentication. The exact method is not detailed in available references, but the exposure of these parameters enables the attacker to potentially decrypt communications or impersonate the device. No user interaction is required.

Impact

Successful exploitation allows the attacker to access sensitive data transmitted to or from the NVR, or to execute a man-in-the-middle attack, intercepting and potentially modifying communications. The attacker gains the ability to compromise the confidentiality and integrity of network traffic.

Mitigation

As of the publication date (2025-01-10), no official patch or firmware update has been released by CP Plus to address this vulnerability. Users are advised to monitor vendor advisories for updates. No workaround is documented. The device may be at risk until a fix is applied.