Hikvision 7513

Hikvision

Vulnerability discovered on 20 June 2021

Summary

The Hikvision camera products are facing a critical remote unauthenticated code execution vulnerability. This vulnerability affects a majority of the recent camera ranges, including some older models. The vulnerability allows attackers to gain full control of the device with an unrestricted root shell, potentially compromising internal networks.

This is a high-level critical vulnerability that requires zero-click unauthenticated remote code execution (RCE). Given the widespread deployment of these cameras, even critical infrastructure is at risk.

Risk Assessment

  • Remotely Exploitable: Yes
  • Authentication Required: None
  • Zero click (no action needed from device owner): Yes
  • Render device inoperable: Yes
  • Read customer data: Yes
  • Change customer data: Yes
  • Latest firmware vulnerable: Yes (as of 21 June 2021)
  • Latest products vulnerable: Yes
  • Denial of Service vulnerability: Yes
  • Potentially enable physical attack on site: Yes
  • Attack internal network: Yes

This vulnerability is the most serious form of vulnerability for Hikvision cameras.

Vulnerability Details

Not for public release in order to protect companies/end users.

Proof of Concept (POC) example

To demonstrate the severity of the vulnerability, a real-world example of attacking a target camera was captured. The video showcased the attacker obtaining information that should only be available to the device owner, gaining unauthorized access to a root shell via SSH, and bypassing the camera admin web portal authentication.

Recommendations Made to Hikvision

Several recommendations were made to Hikvision in a comprehensive report. The flawed code was identified, and the best way to address the issue was suggested. The key recommendations were to issue new firmware as soon as possible and to issue a public security advisory.

Remediation

Patched firmware has been received and tested, confirming that it resolves the vulnerability. The firmware was provided by the Hikvision Security Response Center (HSRC) for testing purposes. It is recommended that users update their devices with the patched firmware.

Is This a Chinese Government Mandated Backdoor?

No, this vulnerability is not a Chinese Government mandated backdoor. It should be noted that not all firmware types are affected.

Thanks

A special thank you to the members of the ipcamtalk.com community who assisted in this security research. Their collaboration and support were invaluable throughout the testing and reporting process.

Affected Firmware Types

The vulnerability affects various firmware types, including IPC (IP Camera), IPD (IP Dome), and Legacy Firmware. The most recent vulnerable firmware versions for each type are listed below. Please refer to Hikvision’s security advisory for more information.

Vulnerable IP Camera Firmware

  • IPC_E0: IPC_E0_CN_STD_5.4.6_180112
  • IPC_E1: Unknown
  • IPC_E2: IPC_E2_EN_STD_5.5.52_180620
  • IPC_E4: Unknown
  • IPC_E6: IPCK_E6_EN_STD_5.5.100_200226
  • IPC_E7: IPCK_E7_EN_STD_5.5.120_200604
  • IPC_G3: IPC_G3_EN_STD_5.5.160_210416
  • IPC_G5: IPC_G5_EN_STD_5.5.113_210317
  • IPC_H1: IPC_H1_EN_STD_5.4.61_181204
  • IPC_H5: IPCP_H5_EN_STD_5.5.85_201120
  • IPC_H8: Factory installed firmware mid-2021
  • IPC_R2: IPC_R2_EN_STD_V5.4.81_180203

Vulnerable PTZ Camera Firmware

  • IPD_E7: IPDEX_E7_EN_STD_5.6.30_210526
  • IPD_G3: IPDES_G3_EN_STD_5.5.42_210106
  • IPD_H5: IPD_H5_EN_STD_5.5.41_200911
  • IPD_H7: IPD_H7_EN_STD_5.5.40_200721
  • IPD_H8: IPD_H8_EN_STD_5.7.1_210619

Vulnerable Legacy Firmware

Proven to be vulnerable – though newer firmware versions exist for some time that do not have the vulnerability.

  • IPC_R7: Up to 5.4.x
  • IPD_R7: Up to 5.4.x
  • IPC_G0: Up to 5.4.x
  • IPC_H3: Up to 5.4.x
  • IPD_H3: Up to 5.4.x

Timeline

  • Vulnerability discovered: Sunday 20 June 2021
  • Manufacturer notified of the issue: Monday 21 June 2021
  • Follow-up emails and vulnerability details provided: Wednesday 23 June 2021
  • HSRC confirms issue reproduction: Wednesday 23 June 2021
  • CVE ID assigned (CVE-2021-36260): Sunday 12 July 2021
  • Limited public disclosure and publication of advisories: Saturday 18 September 2021

For more information, please visit VIỄN THÔNG GIÁ RẺ.