Hikvision officials have admitted that there’s a zero-click vulnerability in many of their security cameras and NVRs that could allow an unauthenticated attacker to gain full access to the device and possibly internal networks.
The researcher, dubbed ‘Watchful_IP’, has released details of the unauthenticated remote code execution (RCE) bug in certain products from Hikvision that bypasses the device’s username and password.
The vulnerability can be exploited to gain root access and take full control of a device. An attacker could also use compromised devices to access internal networks. “Given the deployment of these cameras at sensitive sites potentially even critical infrastructure is at risk,” the researcher warned.
In total, more than 70 Hikvision camera and NVR models are affected by a critical vulnerability and according to IPVM, more than 100 million devices are impacted.
How the Hikvision 2021 Critical Vulnerability works?
“Watchful_IP”, the researcher, describes it as simple to exploit: Only access to the http(s) server port (typically 80/443) is needed. No username or password needed nor any actions need to be initiated by the camera owner. It will not be detectable by any logging on the camera itself.
The researcher refused to release a full Proof of Concept, but Hikvision describes it as the result of “send[ing] a specially crafted message”. A CVE has been reserved (CVE-2021-36260).
The researcher claims that firmware has been susceptible to the bug since as far back as 2016. Hikvision has acknowledged the findings and has patched the issue. The company has also released a security advisory detailing which products are at risk.
A summary reads: “Due to the insufficient input validation, an attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.”
This vulnerability provides total control of the embedded computer’ in these devices with unrestricted root shell access, according to Watchful-IP:
This permits an attacker to gain full control of a device with an unrestricted root shell, which is far more access than even the owner of the device has as they are restricted to a limited “protected shell” (psh) which filters input to a predefined set of limited, mostly informational commands.
This means as the researcher pointed out, that the vulnerability can be used to “access and attack” internal networks as well as launch denial of service attacks across the Internet.
Are the OEM versions impacted by this vulnerability?
Yes, even the OEM version will be impacted. And because Hikvision cameras are so widespread, the vulnerability will impact hundreds of brands worldwide. Check out the Hikvision OEM directory in this link.
The worst part is that many Hikvision OEM brands try to hide their relationship with Hikvision and pass the cameras as their own, meaning they’ll disregard this vulnerability and many users will not even realize it.
Affected versions and resolved version
Some of the affected versions are listed below. Actually, almost all Hikvision logo and OEM cameras are prone to this vulnerability. If you got such camera, you need to IMMEDIATLY update the firmware.
Product name | Affected version(s) |
DS-2CVxxx1 DS-2CVxxx5 DS-2CVxxx6 |
Versions which Build time before 210625 |
HWI-xxxx | |
IPC-xxxx | |
DS-2CD1xx1 | |
DS-2CD1x23 DS-2CD1x43(B) DS-2CD1x43(C) DS-2CD1x43G0E DS-2CD1x53(B) DS-2CD1x53(C) |
|
DS-2CD1xx7G0 | |
DS-2CD2xx6G2 DS-2CD2xx7G2 |
|
DS-2CD2x21G0 | |
DS-2CD2xx3G2 | |
DS-2CD3xx6G2 DS-2CD3xx7G2 |
|
DS-2CD3xx7G0E | |
DS-2CD3x21G0 DS-2CD3x51G0 |
|
DS-2CD3xx3G2 | |
DS-2CD4xx0 DS-2CD4xx6 DS-2CD5xx7 DS-2CD5xx5 iDS-2XM6810 iDS-2CD6810 |
|
DS-2XE62x7FWD(D) DS-2XE30x6FWD(B) DS-2XE60x6FWD(B) DS-2XE62x2F(D) DS-2XC66x5G0 DS-2XE64x2F(B) |
|
DS-2CD7xx6G0 DS-2CD8Cx6G0 |
|
KBA18(C)-83x6FWD | |
(i)DS-2DExxxx | |
(i)DS-2PTxxxx | |
(i)DS-2SE7xxxx | |
DS-2DYHxxxx | |
DS-DY9xxxx | |
PTZ-Nxxxx | |
HWP-Nxxxx | |
DS-2DF5xxxx DS-2DF6xxxx DS-2DF6xxxx-Cx DS-2DF7xxxx DS-2DF8xxxx DS-2DF9xxxx |
|
iDS-2PT9xxxx | |
iDS-2SK7xxxx iDS-2SK8xxxx |
|
iDS-2SR8xxxx | |
iDS-2VSxxxx | |
DS-2TBxxx DS-Bxxxx DS-2TDxxxxB |
Versions which Build time before 210702 |
DS-2TD1xxx-xx DS-2TD2xxx-xx |
|
DS-2TD41xx-xx/Wx DS-2TD62xx-xx/Wx DS-2TD81xx-xx/Wx DS-2TD4xxx-xx/V2 DS-2TD62xx-xx/V2 DS-2TD81xx-xx/V2 |
|
DS-76xxNI-K1xx(C) DS-76xxNI-Qxx(C) DS-HiLookI-NVR-1xxMHxx(C) DS-HiLookI-NVR-2xxMHxx(C) DS-HiWatchI-HWN-41xxMHxx(C) DS-HiWatchI-HWN-42xxMHxx(C) |
V4.30.210 Build201224 – V4.31.000 Build210511 |
DS-71xxNI-Q1xx(C) DS-HiLookI-NVR-1xxMHxx(C) DS-HiLookI-NVR-1xxHxx(C) DS-HiWatchI-HWN-21xxMHxx(C) DS-HiWatchI-HWN-21xxHxx(C) |
V4.30.300 Build210221 – V4.31.100 Build210511 |