9.23.21- SSI – Steve Karantzoulidis
A cybersecurity researcher discovered that a vulnerability in Hikvision firmware allowed for potential attackers to gain full control of devices without a username or password.
A vulnerability in Hikvision IP camera and NVR firmware was recently discovered by cybersecurity researcher Watchful IP.
In June, Watchful IP discovered the “majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical remote unauthenticated code execution vulnerability even with latest firmware (as of 21 June 2021). Some older models are affected also as far back as at least 2016. Some NVRs are also affected, though this is less widespread,” according to the report.
The vulnerability allowed for an attacker to gain full control of a device with an unrestricted root shell (administrative rights or access). Watchful IP says this is even more access than a user typically gets as they are restricted to a limited “protected shell,” which filters input to a predefined set of limited, mostly informational commands.
In addition to the IP camera being compromised, internal networks are also vulnerable.
The Common Vulnerability Scoring System, which essentially ranks cybersecurity threats on a scale of 0 to 10, gives this a base score of 9.8, which is considered “critical.”
What makes this vulnerability so dangerous is the fact that it is a zero click unauthenticated remote code execution (RCE) vulnerability. As its name implies, that means no username or password is needed. It also doesn’t require any actions initiated by the camera owner.
Watchful IP notified Hikvision of the vulnerability as soon as it was discovered. As of Sept. 19, Hikvision released new firmware to address the vulnerability. You can find a list of the affected products here.
In its report, Watchful IP noted, “I’m a security researcher who used to look after servers, networks and 1000s of people’s data in a former life, and the last few months knowing this exists on such a large scale has been worrying. Still I needed to wait 90 days after reporting before making any responsible public disclosure, whilst providing assistance to them and encouraging patched firmware to be developed, tested, published and a public security advisory issued.”
When reached for comment, Hikvision provided SSI the letter it sent to its partners, which you can find below:
Dear Valued Partner:
Today, Hikvision has issued updated firmware on our website that fixes a critical Command Injection Vulnerability in the webserver of some Hikvision products. The list of products affected by the vulnerability can be accessed through the Security Advisory on our website.
We recognize that many of our partners may have installed Hikvision equipment that is affected by this vulnerability, and we strongly encourage that you work with your customers to ensure proper cyber hygiene and install the updated firmware.
With this vulnerability we wanted to provide you the details and timeline to reassure you that Hikvision’s commitment to cybersecurity is strong. In June 2021, Hikvision was contacted by a security researcher, named Watchful IP, who reported a potential vulnerability in a Hikvision camera. Once we confirmed receipt of this report, Hikvision worked directly with the researcher to patch and verify the successful mitigation of the reported vulnerability, following the standard Coordinated Disclosure Process.
To date, the vulnerabilities that have been reported to Hikvision and/or made publicly known, have been patched in the latest Hikvision firmware, which is readily available on the Hikvision website.
In addition, Hikvision is a CVE Numbering Authority (CNA) and has committed to continuing to work with third-party white-hat hackers and security researchers, to find, patch, disclose and release updates to products in a timely manner that is commensurate with our CVE CNA partner companies’ vulnerability management teams.
Hikvision strictly complies with the applicable laws and regulations in all countries and regions where we operate and our efforts to ensure the security of our products go beyond what is mandated.
Please do not hesitate to contact our team with any questions or concerns.