Ministra IPTV Platform Contains Multiple Critical Vulnerabilities
CYBER NEWS

Ministra IPTV Platform Contains Multiple Critical Vulnerabilities

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Check Point security researchers revealed multiple critical vulnerabilities in a popular IPTV platform called Ministra. The vulnerabilities could allow attackers to bypass authentication and obtain users’ information. The impact of the vulnerabilities could be quite devastating. The research shows that there are over 1000 providers of the service. The good news is that vulnerability has been patched.




The Ministra platform is utilized by over a thousand regional and international online media streaming services to manage their millions of subscribers. The vulnerabilities in the platform could lead to their entire customer database of personal info and financial details being exposed, as well as allowing attackers to potentially stream any content on to the screens of the customer network.

Related: CVE-2019-12477: Vulnerability in Supra Smart Cloud TV

More about the Ministra Platform

Infomir is a Ukrainian manufacturer of IPTV (Internet Protocol Television), OTT (Over-the-Top) and VoD (Video-on Demand) devices such as set-top boxes, the report explains. The set-top boxes (STB) are described as streamers which connect to a television service provider from one side, and to customers’ television on the other. Each of these STBs communicates with from the dedicated Ministra platform.

In order to receive the television broadcast, the STB connects to the Ministra and service providers use the Ministra platform to manage their clients. Were an attacker to gain unauthorized access to this platform they could essentially expose the provider’s customer base’s financial details or change the content sent to the service providers’ customers.

Long story short, Check Point came across a logical flaw in an authentication function of Ministra. The function fails to validate requests thus enabling remote attackers to bypass authentication. In addition, attackers could also carry out SQL injection using another vulnerability which could be exploited only by an authenticated attacker.
When chained with a PHP object injection flaw, the remote execution of arbitrary code becomes possible, and this is visible in a video demonstration.

The good news is that the researchers contacted the company, which addressed the vulnerabilities in Ministra version 5.4.1. Vulnerable parties should update to the latest version of the platform as soon as possible.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...