A critical defect can affect millions of Hikvision devices

Breach Notification, Cyberwar / Nation-State Attacks, Endpoint Security

Video Security Tech Firm Releases Firmware Update to Fix the Vulnerability

Mihir Bagwe •
September 27, 2021

A security researcher who calls himself Watchful_IP has discovered a command injection vulnerability that affects millions of Hikvision – or IoT – Internet of Things devices.

See also: EMA Zero Trust Network Research Summary

Hikvision manufactures video-based IoT devices – including surveillance cameras, disk recorders, video codes, and video servers – that are used across industries and sectors, including critical infrastructure.

The flaw was first reported to the video security solutions provider by the security researcher on June 21, 2021. In a public notice, the company now says it has fixed the flaw and has also rolled out an update firmware for end users of all affected devices. , based on the security researcher’s suggestions.

When Information Security Media Group asked Watchful_IP why it took almost 90 days to repair and release the firmware update, he said, “There is a huge range of firmware to check, fix and test. products that had to undergo this process when done thoroughly with proper testing. “

In order to protect customers, Hikvision patched the firmware on public firmware portals before publicly announcing this issue, according to Watchful_IP. Responsible disclosure is a complicated process that must be managed with care so as not to expose businesses or end users to bad actors before the fixes are ready, he notes. As soon as you publicly announce a vulnerability, it says, “The bad guys are looking to use it to harm people.”

Hikvision says the flaw could potentially affect nearly 80 products, including models dating back to 2016. Although the company did not specify the number of devices affected, the video surveillance resource IPVM says, “We estimate that more than 100 million devices worldwide are affected “.

Vulnerability details

The vulnerability, which is tracked as CVE-2021-36260, has a CVSS rating of 9.8, which is critical. The flaw abuses the web servers of “certain” Hikvision products, according to the CVE description. Due to insufficient input validation, it allows malicious actors to launch a command injection attack by sending specially crafted malicious commands, the description says.

The researcher and the company have not disclosed the technical details of the vulnerability or released the proof of concept publicly, citing concerns of exploitation in the wild, according to the Watchful_IP blog.

The researcher claims that the vulnerability allows an attacker to take full control of a device with an unrestricted root shell. This, says the researcher, “is much more accessible than even the owner of the device, as they are limited to a limited ‘protected shell’ (psh), which filters input to a predefined set of limited, mostly informational commands.” .

All an attacker needs is access to the http server port 80 or to the https server port 443. No username or password is needed, no action is required. on the part of the device owner, and the attack will not be detectable by any connection on the device itself, the researcher says.

In addition to complete device compromise, successful exploitation also allows threat actors to gain access to internal networks and penetrate deep and sideways, adds the researcher.

Risk assessment

According to Hikvision’s security advisory, an attacker must be on the same network as the risky device to exploit the vulnerability. The threat actor can only exploit the vulnerability and attack a device if they can access a vulnerable device’s login screen, the report says. “

So the easiest way to assess the level of risk to the system, according to the company, is to check if the device’s webpage is directly accessible from the Internet without any additional network variation. “If so, the system should be considered high risk,” said the opinion.


Besides updating the firmware of the device, Hikvision recommends that users:

  • Minimize port numbers exposed to the Internet;
  • Avoid common port numbers and reconfigure them to custom ports;
  • Enable IP filtering.

The researcher adds, “I recommend that you do not expose any IoT device to the internet – no matter who it is made by or what country the device is made in, including the US, Europe, etc. Use a VPN for access if needed. Block outgoing traffic as well, if possible. I also like to give these devices the wrong gateway, or router, IP.

A fault used for espionage?

In 2018, President Donald Trump’s administration banned government agencies from doing business with Hikvision, among other companies, under the Defense Authorization Act 2019. The reasons given for the ban included issues of national security, privacy and espionage.

In the UK now, UK politician David Alton, in response to Hikvision’s disclosure, tweeted that “Home Office ministers will meet with the Commissioner for Biometrics and Surveillance Cameras to discuss the issues raised in his correspondence with Hikvision “.

British Minister of Lords Susan Williams, responding to Alton’s tweet, said, “We are aware of a number of Chinese tech companies linked to the violations in Xinjiang and are monitoring the situation closely.”

When the ISMG asked Watchful IP why it thought it was a real bug and not a deliberate entry point into Hikvision devices for state-sponsored spy campaigns, he said: “I have worked in IT with a focus on security for almost 30 years. With such experience, it becomes evident if something is deliberately placed and hidden on a built-in device. How a deliberately implanted and malicious “backdoor” would be implemented and used is totally different from this true software vulnerability.

He further clarified: “I cannot provide specific details apart from [of saying] it was absolutely clear to me … this was a real software bug and not a deliberate backdoor. If I found something that I considered a backdoor placed by any vendor based in any country, I would disclose it publicly regardless of the vendor’s wishes. ”

Source link