banner



Can You Roll Back The Firmware On Hikvision Cameras?

Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

This article has been written for a technical audience.

Vulnerability discovered 20 June 2021

Table of Contents:

Summary
Take chances Cess
Vulnerability details
Proof of Concept video on a real target
A few stills from the real attack POC video
Recommendations made to Hikvision
Remediation
Is this a Chinese Government mandated backdoor?
Boosted
Thanks
Affected Firmware Types
Affected Model List
Timeline

Summary

The bulk of the recent camera production ranges of Hikvision cameras are susceptible to a critical remote unauthenticated code execution vulnerability fifty-fifty with latest firmware (equally of 21 June 2021). Some older models are affected also as far back equally at least 2016. Some NVRs are likewise affected, though this is less widespread.

This is being tracked as CVE-2021-36260

Hikvision'due south security advisory: security-notification-control-injection-vulnerability-in-some-hikvision-products

This permits an attacker to proceeds total control of device with an unrestricted root beat, which is far more than access than even the owner of the device has as they are restricted to a limited "protected shell" (psh) which filters input to a predefined set of limited, generally informational commands.

In improver to complete compromise of the IP camera, internal networks tin can and so exist accessed and attacked.

This is the highest level of disquisitional vulnerability – a zero click unauthenticated remote code execution (RCE) vulnerability affecting a high number of Hikvision cameras. Connected internal networks at take a chance

Given the deployment of these cameras at sensitive sites potentially even critical infrastructure is at risk.

A listing of affected firmware types tin can exist found at the end of this document.

Firmware from as long agone as 2016 has been tested and found to be vulnerable.

Just access to the http(due south) server port (typically fourscore/443) is needed. No username or countersign needed nor whatever actions need to exist initiated by camera possessor. Information technology will non be detectable by any logging on the camera itself.

This vulnerability was reported to Hikvision the mean solar day subsequently discovery, on 21 June 2021. I wrote a full report to them identifying the problem code, the device types affected, POC and recommendations for resolution.

At the time of writing, patched firmware is partially bachelor though inconsistently deployed across various Hikvision firmware portals.

Adventure Assessment

Impact:

  • Remotely Exploitable: Yep
  • Authentication Required: None
  • Goose egg click (no action needed from device owner): Yes
  • Render device inoperable: Yes
  • Read client data: Yes
  • Change client data: Yep
  • Latest firmware vulnerable: Yes (as of 21 June 2021)
  • Latest products vulnerable: Aye
  • Deprival of Service vulnerability: Yes
  • Potentially enable concrete assail on site: Yep
  • Attack internal network: Yes

The is the most serious course of vulnerability for this device blazon.

Vulnerability details

Not for public release in order to protect companies/end users.

Proof of Concept (POC) example

Hikvision HSRC (Hikvision Security Response Middle) requested POC of the vulnerability when I commencement reported it to them, and I replied with working code within 2 hours or then.

Equally it's non responsible to disclose a POC, I instead decided to make a video showing it in action, though I have subsequently agreed with Hikvision not to release it.

Rather than but use my ain equipment equally a target, which could seem contrived, I enlisted the aid of a friend from the http://ipcamtalk.com forum, @alistairstevenson, who kindly put up a real live camera with permission to exploit. I wasn't told the access credentials but during the attack information technology was clear information technology's running 2021 firmware and camera was manufactured January 2021.

The video showed a real world example of me attacking this target, obtaining information that should exist only available to the owner, obtaining a root shell accessible via SSH (fifty-fifty though SSH disabled in the web interface), and ultimately bypassing the camera admin web portal authentication.

A few stills from the real target POC video

I don't know the root/admin countersign.

We get device information we shouldn't be able to get, the contents of /etc/passwd (the admin business relationship countersign is e'er the same equally the photographic camera web portal admin password) and add together our ain system root account:

Get device information, /etc/passwd, add a root account and spawn dropbear (SSH server) on a port of our choice:

That business relationship is using the restricted advisory shell Hikvision limits the camera owner to, so we add a root business relationship with /bin/sh shell, login via SSH:

Bypass restricted shell for full root shell

Disable spider web hallmark and login to target camera admin web pages with any password. In reality nosotros already have a far more than important root shell but I wanted to demonstrate spider web folio login is trivial at this point:

Web Interface authentication bypassed

With a root shell, a existent attacker could have easily taken a big range of hostile actions at this indicate.

Recommendations made to Hikvision

I fabricated a number of recommendations in my study to HSRC.

I identified the flawed code that was the trouble, and indicated how I thought information technology best to remedy it.

I don't have access to their code base repositories, but rather needed to decrypt firmware, and opposite engineer lawmaking nevertheless I still found it.

Event new firmware as soon every bit possible and issue a public security advisory.

Received patched IPC_G3 (V5.5.800 build 210628) and IPC H5 (V5.v.800 build 210628) firmware from HSRC for testing.

Decrypted and reversed the code in addition to live testing on my own equipment and confirmed to HSRC that the patched firmware resolves the vulnerability.

Was further pleased to note this problem was stock-still in the mode I recommended.

Is this a Chinese Regime mandated backdoor?

No, definitely Not. You lot wouldn't do it like this. And not all firmware types are afflicted.

28 September 2021 update: expanded answer provided here

Additional

I'one thousand a security researcher who used to look after servers, networks and 1000s of people's data in a former life, and the final few months knowing this exists on such a large scale has been worrying.

Nonetheless I needed to wait xc days after reporting before making any responsible public disclosure, whilst providing assist to them and encouraging patched firmware to exist developed, tested, published and a public security advisory issued.

I'd recommend you lot practice non expose any IoT device to the Internet no affair who information technology is made by - or in which land the device is fabricated (including USA, Europe etc). Use a VPN for access if needed. Block outbound traffic as well if at all possible - I also like to give these devices the wrong gateway (router) IP.

You can find me at ipcamtalk.com, or watchfulip@protonmail.com

Watchful IP

Thanks

Thanks to the members of ipcamtalk.com who agreed a security research testing scope with me and provided admission to some photographic camera types I didn't own. In particular:

  • @alistairstevenson
  • @iTuneDVR
  • @Securame
  • @rawinek
  • @cyrusbyte

Give thanks you to Hikvision - particularly the Head of HSRC, his team and R&D for working hard to prepare this quickly. I sent them lots of emails and reports which they kindly liaised with me on.

Affected Firmware Types

Notes:

I do non have the ability to decrypt all firmware types, nor access to all versions and so am unable to check all firmware.

Normally firmware types use the prefix IPC (IP Photographic camera = not PTZ) or IPD (IP Dome = PTZ photographic camera). Date code is in the form YYMMDD.

OEM firmware is not listed - in that location's too many to try to obtain and bank check.

At time of writing updated firmware seems to be properly deployed on the Hikvision China region firmware portal for Chinese region devices, only only partially on the Global site. On the European www.hikvisioneurope.com and Russian http://ftp.hikvision.ru sites fifty-fifty much of the updated firmware from the incomplete Global site is missing. Other regional portals are also probable unreliable.

Some NVRs are too afflicted, though they were not within the original telescopic of this study. Delight refer to Hikvision'southward advisory for more information.

Vulnerable IP Camera Firmware

Type Most contempo vulnerable Firmware Version
IPC_E0 IPC_E0_CN_STD_5.4.6_180112
IPC_E1 unknown
IPC_E2 IPC_E2_EN_STD_5.5.52_180620
IPC_E4 unknown
IPC_E6 IPCK_E6_EN_STD_5.5.100_200226
IPC_E7 IPCK_E7_EN_STD_5.5.120_200604
IPC_G3 IPC_G3_EN_STD_5.5.160_210416
IPC_G5 IPC_G5_EN_STD_5.v.113_210317
IPC_H1 IPC_H1_EN_STD_5.iv.61_181204
IPC_H5 IPCP_H5_EN_STD_5.five.85_201120
IPC_H8 Factory installed firmware mid 2021
IPC_R2 IPC_R2_EN_STD_V5.4.81_180203

Some of these are from 2018, but they were the most upwards to date firmware available at time of report.


Vulnerable PTZ Camera Firmware

Type Most recent vulnerable Firmware Version
IPD_E7 IPDEX_E7_EN_STD_5.6.30_210526
IPD_G3 IPDES_G3_EN_STD_5.5.42_210106
IPD_H5 IPD_H5_EN_STD_5.5.41_200911
IPD_H7 IPD_H7_EN_STD_5.5.40_200721
IPD_H8 IPD_H8_EN_STD_5.7.1_210619


Vulnerable Legacy Firmware

Proven to be vulnerable - though newer firmware has existed for some time which doesn't have the vulnerability.

Blazon Vulnerable Firmware Version
IPC_R7 Up to 5.iv.x
IPD_R7 Up to v.iv.ten
IPC_G0 Up to v.4.x
IPC_H3 Up to 5.4.x
IPD_H3 Up to 5.4.10

Perchance others too - these are just ones I stumbled beyond and I wasn't actually looking for legacy issues. At that place's lots of cameras with old vulnerable firmware accessible on the Net according to shodan however.

Affected Model List

Coming up with a proper affected model list is hard:

  • Chinese region variants have oftentimes have their own model names
  • Some firmware does not have public release notes that list the compatible models
  • There'south a huge number of OEM resellers with their own model numbers

For this reason I think it better to just include the list Hikvision have published in their security advisory:

Affected Models 1 Affected Models 2 Affected Models 3

Timeline

Vulnerability discovered: Dominicus 20 June 2021

Manufacturer notified of issue: Monday 21 June 2021 xvi:xvi to HSRC@hikvision.com and support.uk@hikvision.com. Unfortunately HSRC didn't receive this due to it being defenseless by a spam filter.

Wednesday 23 June 2021 01:00 Follow up e-mail to HSRC@hikvision.com and 400@hikvision.com, additionally sent pdf re-create of electronic mail via vulnerability submission class at https://www.hikvision.com/europe/support/cybersecurity/report-an-issue/

Wednesday 23 June 2021 04:27 received reply from HSRC@hikvision.com requesting report on my findings.

Wednesday 23 June 2021 05:40 v1.0.0 of vulnerability details (WIP-2021-06-HIK-2) emailled to HSRC@hikvision.com

Wednesday 23 June 2021 07:42 HSRC confirm they have reproduced the issue.

Wednesday 07 July 2021 Request for disclosure timeline and CVE details in the next seven days.

Sunday 12 July 2021 HSRC inform me of the CVE ID they accept applied for (CVE-2021-36260)

Wednesday 04 August 2021 notify HSRC of my intention to brand limited public disclosure 90 days later my initial report 20 September 2021. I insist companies/end-users know there is risk and they demand to update devices.

Tuesday 17 August 2021 HSRC send patched IPC_G3 (built 28 June 2021) and IPC_H5 (built 28 June 2021) for testing

Wednesday xviii August 2021 informed HSRC testing on patched firmware consummate – urge them to release firmware as soon as possible on all firmware portals.

Sabbatum 18 September 2021 Hikvision and I publish our respective advisory/report

Source: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html

Posted by: whitemintough.blogspot.com

0 Response to "Can You Roll Back The Firmware On Hikvision Cameras?"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel