Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

[watchful_ip]

Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

RFC Response

Command Injection Vulnerability

September 19, 2021

www.hikvision.com

Hikvision FAQ for this vulnerability

I'm not able to provide more detail than is the report, so if I don't address points below, or reply even in private that's why - no offense is intended to anybody. But by all means leave any feedback below - I'd really enjoy reading it.

Affected IP Camera Firmware Types

Hikvision EU Firmware Portal now updated:

IP Camera Firmware
PTZ Camera Firmware
NVR Firmware

update 04 Oct 2021: Hikvision USA now includes direct links to updates:

updated firmware links

 

[john-ipvm]

Very thorough report!

PRC law mandates PRC companies disclose such vulnerabilities to the government, excerpt: "The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days." The PRC government has therefore had this for months.

This may realisticlly impact 100+ million cameras, since it goes back years and also impacts Hikvision's dozen or hundreds of OEMs. To give context, Hikvision claimed back in 2016 to manufacturer more than 55 million cameras and, of course, those annual numbers have increased since then.

 

[Mike A.]

Yet another reason never to expose these things. Good job on the exploit and demonstration.

 

[bashis]

Congrats to your finding, It's very interesting stuff, I and most probably many others will now start looking for the RCE, since you stated you will not release any technical details nor PoC.

 

[alastairstevenson]

"Some Hikvision products" is a pretty large affected list - and huge if you also include OEM models.

 

[bashis]

"Some Hikvision products" is a pretty large affected list - and huge if you also include OEM models.

Yep, as with Hikua, always refer to "some products"... Indeed, huge amount of affected devices of this I believe.

 

[fergenheimer]

Cheers to @alastairstevenson and the other members for their part in demonstrating the exploit! Great that this community is part of the answer!

 

[aamuk]

Thank you @watchful_ip for your thorough investigation and pursuing the matter.

Now Hikvision need to properly disseminate the information and get the fixes available throughout their various worldwide sites and to the OEMs.

 

[alastairstevenson]

Now Hikvision need to properly disseminate the information and get the fixes available throughout their various worldwide sites and to the OEMs.

In reality though, most users will be blissfully unaware of this vulnerability, ignorant of the potential exploits, and of the need to do a firmware update.
And will be either having port forwarding active by default (UPnP enabled on both router and cameras) or deliberately using it as the simple and convenient method that it is for viewing the cameras when away from home.

 

[mat200]

Thanks @watchful_ip excellent job.

Thanks @alastairstevenson @iTuneDVR @Securame @rawinek @cyrusbyte

 

[Smilingreen]

Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

Command Injection Vulnerability

September 19, 2021

www.hikvision.com

I can't provide any comments on this, but by all means leave any feedback below - I'd really enjoy reading it.

Thanks for the heads up. 2 of my devices had firmware updates available. I had just checked them a couple of weeks ago. Guess I need to check them more often?

 

[aamuk]

In reality though, most users will be blissfully unaware of this vulnerability, ignorant of the potential exploits, and of the need to do a firmware update.
And will be either having port forwarding active by default (UPnP enabled on both router and cameras) or deliberately using it as the simple and convenient method that it is for viewing the cameras when away from home.

I totally agree that most users are blissfully unaware of these issues but for those of us who do want to know this stuff, Hikvision do not make it easy.

For example, if I go to the local UK website there is currently no mention of anything relating to CVE-2021-36260 under support >> cyber security, whereas if I go to support >> cyber security on the global website there is a subsection called security advisories that contains the information.

Similarly, I don’t want to have to search their various sites to find the latest firmware and it would be nice if they regularly included changelogs or release notes with them. Also recently all the non-AcuSense I-series NVRs have been marked EOL on the UK site. I’ve no idea if they’re actually being discontinued but, putting it politely, I’d be somewhat annoyed if got some new hardware to find out that it’s been deemed EOL just after I bought it.

 

[watchful_ip]

FYI updated IPC_G3 firmware can be found at

DS-2CD2026G2-I(U)

Hikvision DS-2CD2026G2-I(U) 2 MP AcuSense Fixed Mini Bullet Network Camera

www.hikvision.com

It's the one that is not (C) which refers to IPC_G5.

 

[Spirch]

FYI updated IPC_G3 firmware can be found at

DS-2CD2026G2-I(U)

Hikvision DS-2CD2026G2-I(U) 2 MP AcuSense Fixed Mini Bullet Network Camera

www.hikvision.com

It's the one that is not (C) which refers to IPC_G5.

i assume this would be ok for the colorvu ds-2cd2087g2-lu too? question would be, what else changed in that firmware, only security fix or other things?

right now my camera are behind firewall but i'm not yet ready to install it unless i know what else might have changed

 

[watchful_ip]

i assume this would be ok for the colorvu ds-2cd2087g2-lu too

Yes - any IPC_G3 camera.

 

[john-ipvm]

We (IPVM) have published a report on the vulnerability and Watchful_IP's report - Hikvision Has "Highest Level of Critical Vulnerability", Impacting 100+ Million Devices

 

[alastairstevenson]

This small excerpt from the IPVM report really underlines the scale and severity of this vulnerability :

We estimate 100+ million devices globally are impacted by this vulnerability making it, by far, the biggest vulnerability to ever hit video surveillance. The combination of its critical nature (9.8 / "zero click unauthenticated remote code execution") and Hikvision's massive market size make this risk unprecedented.

You heard it first on ipcamtalk !

 

[alastairstevenson]

FYI updated IPC_G3 firmware can be found at

DS-2CD2026G2-I(U)

Hikvision DS-2CD2026G2-I(U) 2 MP AcuSense Fixed Mini Bullet Network Camera

www.hikvision.com

It's the one that is not (C) which refers to IPC_G5.

The file naming that Hikvision have used is singularly useless - maybe it means something, but it's not obvious to me :
6d0bf05c-d030-42a1-991d-77d5c376633f.zip

 

[korin1]

@watchful_ip does that effect hilook aswell?
Subsidiary company of hikvision

@alastairstevenson
wouldn't be better if this post would be in cyber security thread?

 

[watchful_ip]

@watchful_ip does that effect hilook aswell?
Subsidiary company of hikvision

@alastairstevenson
wouldn't be better if this post would be in cyber security thread?

Hi - I did think about posting in the cyber security thread but I don't think it would have been seen by as many people with Hikvision cameras/NVRs. I'll make a quick post there now, though if that's against forum rules (duplicate post) mods feel free to delete

I'm not familiar with Hilook sorry.