← Back to home
ICSA-21-229-01  ·  Published 2021-08-17  ·  View on CISA ICS-CERT ↗

ThroughTek Kalay P2P SDK

CVSS 9.6 CRITICAL

Risk Summary

Successful exploitation of this vulnerability could permit remote code execution and unauthorized access to sensitive information, such as to camera audio/video feeds. ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform.

CVEs (1)

Remediations

  • If SDK is Version 3.1.10 and above, enable authkey and DTLS.
  • If SDK is any version prior to 3.1.10, upgrade library to v3.3.1.0 or v3.4.2.0 and enable authkey/DTLS.
  • ThroughTek recommends device users to avoid accessing their devices from untrusted networks.
  • Additional information can be found in the ThroughTek advisory.

Affected Vendors

ThroughTek

Affected Products (5)

ThroughTek · Kalay P2P SDK <= 3.1.5
ThroughTek · Kalay P2P SDK * (with the nossl tag)
ThroughTek · Kalay P2P SDK * (using P2PTunnel or RDT module)
ThroughTek · Kalay P2P SDK * (that does not use AuthKey for IOTC connection)
ThroughTek · Kalay P2P SDK * (using the AVAPI module without enabling DTLS mechanism)

Affected Sectors

Communications

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more