Summary

While processing specified RTSP requests, buffer overflow vulnerabilities may occurs for select Hikvision DVRs, which may result in potential service interruption for users.

These issues have been assigned Common Vulnerabilities and Exposures (CVE) ID:

• CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880.

Software Versions and Fixes

Impact

By exploiting these three vulnerabilities, attackers are able to plant scripts into the file system to creat service interruptions.

Technical Details

Precondition

DVR devices need to be connected to a network with external access.

Attack Step

Attacker sends malicious scripts to DVR devices.

Obtaining Fixed Software

Users may download updated firmware on the Hikvision official website:（Click Here）.

Contacts Method

For security problems with Hikvision products and solutions, please contact : hsrc@hikvision.com.

Dear Customers :

With the popularity of network video surveillance, more and more networking products are used in public networks, such as Network Video Recorders, Network Cameras, and Routers. But the public network environment is more vulnerable than internal network. You devices might be attacked by various viruses, like malicious network scanning if the devices are used in public networks without any modification of their default passwords.

We get to know some of our customers do not change the default passwords, which might cause heavy damages and losses.

Therefore, we hereby strongly recommend you to change the default passwords of the networking devices before using in public network.

We appreciate for your continuous supports to HIKVISION.

HIKVISION Digital Technology Co., Ltd.
March, 2014

1. Hikvision attaches great importance on information security of its products and solution. We promise that for every problem reported, there is a specially assigned person to follow up, analyze and give feedback in time.
2. Hikvision supports responsible flaw disclosure and handling. We promise that to protect the interests of our customers, those who help us to improve the information security will be appreciated and rewarded.
3. Hikvision objects and condemns all actions that exploit the security flaw to damage the customer interests, including but not limited to the stolen of user private information or virtual property, unauthorized system access and system data getting, and malicious spreading the security flaw and data.
4. Hikvision believes that the processing of each security flaw and the progress of the whole security industry must be joint efforts of every party. Hikvision hopes that we can strengthen the cooperation with other enterprises in the industry, the security company and security researcher to maintain the information security of the surveillance industry. Thank you for your concerns on Hikvision and our products.

Hikvision  announces to release the updated version of products firmware gradually  in March 2015. With this update, alerts are added to request users to  change default password. The update will include the following security  enhancements in the IPC version 5.3.0 and DVR/NVR version 3.2.0:

  ·If the default password is not changed, a change the password prompt dialogue will show up when the user attempts to log in.
  ·IPC/DVR/NVR will lock the current login IP address after a certain incorrect login attempt.
  ·Telnet access is no longer available.
  ·For IPC, when the user resets the password, a password strength prompt (high, middle, low) will show in the web browser.
 

Since  March 2014, Hikvision has continuously notified customers to change  default password, and has taken the following steps to strengthen the  security of the products. End-users may always visit the Security Center  on our website for further information and updates.

Notifications to End-Users, OEMs, Installers and System Integrators

     1.    On  December 5th, 2014, Hikvision began to include a warning notice in each  product package in order to alert end users to change the default  password during installation. 

     2.    In September 2014, Hikvision posted a notice about changing the default password in the DDNS.

     3.    In  March 2014, Hikvision added a notice to the company website about  changing the default password.  It also edited its user manuals by  adding a notice to change the default password.

     4.    In March 2014, Hikvision created the Security Center in  its website. This center includes best practices for end users;  information for OEM customers, installers, contractors and system  integrators; and allows security researchers to disclose potential  security vulnerabilities to Hikvision.

Historical Updates of Products Firmware:

1.    IPC updates

     a)    On July 2014, Hikvision released IPC versions 5.2.0, which included the following additional safety measures:

   ·        No  plain text is shown when creating a new user account or to change the  password, and the username and password cannot be reproduced or copied.

     b)   On December2013, Hikvision released IPC version 5.1.0, which included the following additional safety measures:

   ·        Encrypting login information and all transmitted data.

   ·        Telnet is disabled by default. 

2.    DVR/NVR updates

Security features for DVR/NVR devices operated under a number of platforms have also been upgraded as follows: 

     a)    The following are updates on DS-7100/7200/7300/8100 series DVR:

   ·        Version3.0.0 released in February 2014, telnet access was disabled by default. (For DS-7100 series DVR, the firmware version is 2.2.13.) 

   ·        Version3.1.3 released  in December 2014, there is a prompt dialog box for changing the  password if the default password is not changed; while login the DVR on  local menu, the login account will be locked for some time after several  incorrect login attempts. (For DS-7100 series DVR, this firmware version  is 2.2.15.)

     b)   The following are updates on Netra DS-9100/9000/9500/9600/8000/8100/8500/8600/7600/7700 series DVR/NVR:

   ·        Version3.1.0 released in January 2014, telnet access was disabled by default.  

Hikvision  is dedicated to providing top quality video surveillance products and  solutions to customers worldwide. We appreciate continued support from  our valued customers and partners.

HANGZHOU HIKVISION DIGITAL TECHNOLOGY CO., LTD.

March 2015

Summary

While  processing the specified HTTP requests after identity authentication  (successful login with the correct username and password), buffer  overflow vulnerabilities may occur for selected Hikvision NVRs. This may  result in potential service interruption for users.

This Vulnerability has been designated as Common Vulnerabilities and Exposures (CVE).

ID No: CVE-2015-4407, CVE-2015-4408 and CVE-2015-4409.

Impact

By  exploiting these three vulnerabilities, after successfully login to the  NVRs with the correct username and password, attackers could be able to  plant malicious HTTP scripts to create service interruption.

Precondition

NVR devices can be connected after login with correct username and password.

Attack Step

       Attackers may send malicious HTTP scripts to selected NVR devices.

Software Versions and Fixes

Obtaining Fixed Firmware

      Users should download the updated firmware to guard against these  potential vulnerabilities. It is available on the Hikvision official  website:（Click Here）.

Contact Us

For security problems about Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hikvision.com

Dear Valued Partner,

Hikvision has  determined that there is a scripted application specifically targeting  Hikvision NVRs and DVRs that meet the following conditions: they have  not been updated to the latest firmware; they are retained as the  default port, default user name, and default password.

Hikvision has introduced secure Activation Mechanism into all of product lines since March of 2015, it is required to create  password when first login. However, it was possible, before that date,  to install NVRs and DVRs with default settings. Therefore, we provided  updated firmware which includes this mandatory setting for customers to  upgrade existing devices.
 
Hikvision strongly recommends that our  customer base review the security levels of equipment installed prior  to March 2015 to ensure the use of complex passwords and upgraded  firmware to best protect their customers.

Below are firmware and password guidelines and specific steps to take to secure a system:

Password and Firmware Overview

•     Leaving factory-default, poorly chosen, or weak passwords in your  camera or video recorder may result in unauthorized access or  exploitation of your company resources.

•    Change every password in every device occasionally. Old passwords can carry additional risk.

•    Ensure all systems have the latest firmware.

•     All users, including contractors and vendors with access to your  company systems, should take appropriate steps to select and secure  their passwords and update your firmware on your system.

Password and Firmware Steps

 
1.    Make sure to have your device behind a firewall.

o    Make sure that your firewall is updated with the latest firmware and that the default password is changed on your router.
o     If you want to have your device work with a Hikvision or third-party  online services, make sure to set up port-forwarding on your firewall.

2.    Check if your system has the latest firmware. Here is a link to  check if your product needs to be upgraded to the latest firmware.

3.    After updating firmware, please restore factory default, and ensure that you have restarted your device.

4.    Once the device is restarted, it will ask you to give a more secure password.
o    Go through the process to secure your devices.

5.    Now that you have updated your device please make sure to change your password regularly.

Additional Information and Resources

•Technical Bulletin: How to Activate Device for DVR, NVR and IP camera

 
•Video:  How to upgrade NVR locally

•Video:  How to upgrade IPC or NVR in web interface

Please visit the Security Center on our website for additional information and updates. Should you  require additional support, please do not hesitate to contact our local  technical support team or at support@hikvision.com.


Sincerely,
Hangzhou Hikvision Digital Technology Co., Ltd.

Summary

While processing a  specified request code, the user privilege-escalating vulnerability may  occur for select Hikvision IP cameras with particular firmware version.  

This vulnerability was discovered, and until now, has not been designated as Common Vulnerabilities and Exposures(CVE).

Impact

By  exploiting this vulnerability, attackers could obtain an unauthorized  escalated additional user privilege to acquire or tamper with the device  information.

Affected Software Versions and Fixes

Solution

Update devices with the correct firmware.

Contact Us

Should you have a security problem or concern, please contact Hikvision Security Response Center at hsrc@hikvision.com.

Descriptions:

Apache  Struts 2 is one ofpopular development frameworks for Java Web  applications. However, recently JakartaMultipart parser, a plug-in of  Apache Struts 2, was found to have a vulnerabilityof remote code  execution. Attackers may execute malicious remote source code  bymodifying the Content-Type in HTTP request when uploading the files by  suchplug-in. For more information, please refer to the official website  of ApacheStruts2: https://struts.apache.org/docs/s2-045.html

Affected Products:

• iVMS-5200 Professionalbaseline versions V3.3.4 and before, including Mobile and ANPR sub systems.

• Blazer Pro v1.0 baselineversions

Solution:

Hikvision  has published a hotfixto upgrade Apache Struts 2 to its latest version,  Struts 2.3.32 and 2.5.10.1,which Apache Struts had officially released  to fix the potential vulnerability.To implement the hotfix:

1.         Download the hotfix from Hikvision official website: 

l   iVMS-5200 Professional,including Mobile and ANPR sub systems: Click Here

l   Blazer Pro v1.0: Click Here

2.         Copy  the hotfix 5200P-ST&FJ-201703.exe to the desktop of the computer  orthe Blazer Pro where the Central Management Server service of the iVMS  softwareis running.

3.         Close the Service Manager by clicking the Exit button at the notificationarea.

4.         Double  click the hotfix to run it. The hotfix will check the running  environment,stop the services of the iVMS software, replace the affected  files and restartthe services. If you see the interface below, it means  that the system has beenupgraded successfully and returned to normal  status. 

5.         Restart the Service Manager.

If you have any doubt about the upgrade procedure,please do not hesitate to contact Hikvision local support team or at support@hikvision.com. 

Contact Us:

Should you have a security problem or concern,please contact Hikvision Security Response Center at hsrc@hikvision.com.

Dear Valued Customers and Partners:

Hikvision  is honored to work with the U.S. Department of Homeland Security’s  National Cybersecurity and Communications Integration Center in our  ongoing cybersecurity best practice efforts. 

We’re  pleased to announce that Hikvision’s successful progress on a  privilege-escalating vulnerability has been acknowledged by ISC-CERT  (Industrial Control Systems Cyber Emergency Response Team).  Specifically, ISC-CERT has recognized that on March 13, 2017 Hikvision  released the fixed firmware version 5.4.41/5.4.71 to address the user  privilege-escalating vulnerability on those particular affected camera  models. 

What  do customers need to know about the privilege-escalating  vulnerability?  What steps should customers take to enhance the  cybersecurity of Hikvision systems? 

·Please review the March 13,2017 notice,  which outlines potential cybersecurity concerns that could arise with  specific cameras under certain, fairly uncommon circumstances.  To date,  Hikvision is not aware of any reports of malicious activity associated  with this vulnerability. ·Hikvision  always recommends a systematic, multi-step approach to enhance  cybersecurity protection. To assist customers and partners, Hikvision  offers a number of industry-leading cybersecurity resources. Please  visit the Hikvision Security Center for more information. 

·The Hikvision Network Security Hardening Guide is a new resource for installers.

·Hikvision also encourages customers to utilize ICS-CERT resources, including ISC-CERT Recommended Practices and ISC-CERT Defense in Depth. 

Did ISC-CERT recommend further enhancements in future firmware upgrades?

·ISC-CERT specifically identified the area of potential concern about the “configuration file”. 

Under what circumstances is there a concern with the configuration file? How will Hikvision address this concern?

·The  configuration file is encrypted and is therefore not readable, and  protects users’ credentials. Also, the configuration file can only be  exported by the admin account. Hikvision appreciates ICS-CERT’s comment,  and will enhance the private key decryption storage method in the  upcoming firmware release.

Hikvision  is proud to be at the forefront of the move to improve cybersecurity  best practices in our industry. Cybersecurity must be top-of-mind  throughout the product lifecycle, from R&D and manufacturing to  installation and maintenance. Hikvision’s in-house cybersecurity experts  are dedicated to constantly assessing and improving our products and  our processes, and the Hikvision team provides market-leading  cybersecurity education and support to our valued customers. We’re also  actively engaged with our competitors and partners on collaborative  cybersecurity efforts that benefit our entire industry. 

Interoperability  is key to the success of IP video technology. While it’s exciting to  watch the ecosystem of video surveillance devices multiply, this also  increases our cybersecurity challenges. Establishing interoperability  standards for video surveillance should be a top priority and one that  everyone in the surveillance industry needs to share.

If  you have any questions or concerns about Hikvision products, please  contact Hikvision branch office, representatives or consult us at  overseasbusiness@hikvision.com. For technical concerns, you may contact support@hikvison.com.

Dear Valued Customers and Partners:

Reminder to apply known vulnerability patch

Early in March, Hikvision was made aware of a privilege-escalating vulnerability in  certain IP cameras. Firmware update that resolves the issue has been  readily available on the Hikvision website since mid-March. Please see  the referred vulnerability information and links to updated firmware.

Recently,  a few online reports on cyberattacks over part of Hikvision products  have been brought to our attention. Regarding this, Hikvision reaffirms  that updating all systems to the latest version is an effective way to prevent your equipment from being vulnerable to cyberattacks. We have provided the available solution and we urge all our partners and users to ensure that the firmware update is being applied to all the products in order to reinforce cybersecurity protection of Hikvision systems.

Hikvision takes cybersecurity concerns with the utmost seriousness and takes action  everyday to ensure that our products are not only innovative, but they  meet the highest standards of cybersecurity best practices.

Please  check the above link and make sure that all cameras are running on the  latest firmware. More information on the vulnerability and our resolution efforts can be found at Hikvision Security Center. Should you wish for assistance or have any other concerns about Hikvision products that you’d like to discuss, please contact Hikvision branch office, representatives or consult us at support@hikvision.com.

Sincerely

Hikvision Digital Technology Co., Ltd.

Summary

Recently,  a security vulnerability affecting Intel processors was disclosed. This  vulnerability may result in operating systems’ kernel information  leakage. Applications can access kernel data without authorization.

Hikvision  immediately launched an investigation and established a technical  communications process with its supplier. The investigation is still  ongoing. HSRC will continue to provide updates to this notice as  relevant information becomes available. 

CVE-ID：

CVE-2017-5753

CVE-2017-5715

CVE-2017-5754

Impact

Investigative process is ongoing.

Affected Software/Hardware Version and Fixes 

TBD

Solution

Investigative process is ongoing.

Contact Us

This  notice will be updated continuously. We recommend monitoring this  notice to check for status updates. Should you have any questions,  please feel free to contact us via email at hsrc@hikvision.com.

SN No.: HSRC-202109-01

Edit: Hikvision Security Response Center (HSRC)

Initial release date: 2021-09-19

Summary:

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

CVE ID:

CVE-2021-36260

Scoring:

CVSS v3 is adopted in this vulnerability scoring（http://www.first.org/cvss/specification-document）

Base score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal score: 8.8 (E:P/RL:O/RC:C)

Affected versions and resolved version:

Information of affected versions and resolved versions：

Precondition:

The attacker has access to the device network or the device has direct interface with the internet

Attack step:

Send a specially crafted message.

Obtaining fixed firmware:

Users should download the updated firmware to guard against this potential vulnerability. It is available on the Hikvision official website: Firmware download

Source of vulnerability information:

This vulnerability is reported to HSRC by UK security researcher Watchful IP.

Contact Us:

 Should you have a security problem or concern, please contact Hikvision Security Response Center at hsrc@hikvision.com.