Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

watchful_ip · Sep 18, 2021

Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

This article has been written for a technical audience.

watchfulip.github.io

RFC Response

Command Injection Vulnerability

September 19, 2021

www.hikvision.com

Hikvision FAQ for this vulnerability

I'm not able to provide more detail than is the report, so if I don't address points below, or reply even in private that's why - no offense is intended to anybody. But by all means leave any feedback below - I'd really enjoy reading it.

Affected IP Camera Firmware Types

Hikvision EU Firmware Portal now updated:

IP Camera Firmware
PTZ Camera Firmware
NVR Firmware

update 04 Oct 2021: Hikvision USA now includes direct links to updates:

updated firmware links

john-ipvm · Sep 18, 2021

Very thorough report!

PRC law mandates PRC companies disclose such vulnerabilities to the government, excerpt: "The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days." The PRC government has therefore had this for months.

This may realisticlly impact 100+ million cameras, since it goes back years and also impacts Hikvision's dozen or hundreds of OEMs. To give context, Hikvision claimed back in 2016 to manufacturer more than 55 million cameras and, of course, those annual numbers have increased since then.

Mike A. · Sep 18, 2021

Yet another reason never to expose these things. Good job on the exploit and demonstration.

bashis · Sep 18, 2021

Congrats to your finding, It's very interesting stuff, I and most probably many others will now start looking for the RCE, since you stated you will not release any technical details nor PoC.

alastairstevenson · Sep 18, 2021

"Some Hikvision products" is a pretty large affected list - and huge if you also include OEM models.

bashis · Sep 18, 2021

alastairstevenson said:
"Some Hikvision products" is a pretty large affected list - and huge if you also include OEM models.

Yep, as with Hikua, always refer to "some products"... Indeed, huge amount of affected devices of this I believe.

fergenheimer · Sep 18, 2021

Cheers to @alastairstevenson and the other members for their part in demonstrating the exploit! Great that this community is part of the answer!

aamuk · Sep 19, 2021

Thank you @watchful_ip for your thorough investigation and pursuing the matter.

Now Hikvision need to properly disseminate the information and get the fixes available throughout their various worldwide sites and to the OEMs.

alastairstevenson · Sep 19, 2021

aamuk said:
Now Hikvision need to properly disseminate the information and get the fixes available throughout their various worldwide sites and to the OEMs.

In reality though, most users will be blissfully unaware of this vulnerability, ignorant of the potential exploits, and of the need to do a firmware update.
And will be either having port forwarding active by default (UPnP enabled on both router and cameras) or deliberately using it as the simple and convenient method that it is for viewing the cameras when away from home.

mat200 · Sep 19, 2021

Thanks @watchful_ip excellent job.

Thanks @alastairstevenson @iTuneDVR @Securame @rawinek @cyrusbyte

Smilingreen · Sep 19, 2021

watchful_ip said:
Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

This article has been written for a technical audience.

watchfulip.github.io

Command Injection Vulnerability

September 19, 2021

www.hikvision.com

I can't provide any comments on this, but by all means leave any feedback below - I'd really enjoy reading it.

Thanks for the heads up. 2 of my devices had firmware updates available. I had just checked them a couple of weeks ago. Guess I need to check them more often?

aamuk · Sep 19, 2021

alastairstevenson said:
In reality though, most users will be blissfully unaware of this vulnerability, ignorant of the potential exploits, and of the need to do a firmware update.
And will be either having port forwarding active by default (UPnP enabled on both router and cameras) or deliberately using it as the simple and convenient method that it is for viewing the cameras when away from home.

I totally agree that most users are blissfully unaware of these issues but for those of us who do want to know this stuff, Hikvision do not make it easy.

For example, if I go to the local UK website there is currently no mention of anything relating to CVE-2021-36260 under support >> cyber security, whereas if I go to support >> cyber security on the global website there is a subsection called security advisories that contains the information.

Similarly, I don’t want to have to search their various sites to find the latest firmware and it would be nice if they regularly included changelogs or release notes with them. Also recently all the non-AcuSense I-series NVRs have been marked EOL on the UK site. I’ve no idea if they’re actually being discontinued but, putting it politely, I’d be somewhat annoyed if got some new hardware to find out that it’s been deemed EOL just after I bought it.

watchful_ip · Sep 20, 2021

FYI updated IPC_G3 firmware can be found at

DS-2CD2026G2-I(U)

Hikvision DS-2CD2026G2-I(U) 2 MP AcuSense Fixed Mini Bullet Network Camera

www.hikvision.com

It's the one that is not (C) which refers to IPC_G5.

Spirch · Sep 20, 2021

watchful_ip said:
FYI updated IPC_G3 firmware can be found at

DS-2CD2026G2-I(U)

Hikvision DS-2CD2026G2-I(U) 2 MP AcuSense Fixed Mini Bullet Network Camera

www.hikvision.com

It's the one that is not (C) which refers to IPC_G5.

i assume this would be ok for the colorvu ds-2cd2087g2-lu too? question would be, what else changed in that firmware, only security fix or other things?

right now my camera are behind firewall but i'm not yet ready to install it unless i know what else might have changed

watchful_ip · Sep 20, 2021

Spirch said:
i assume this would be ok for the colorvu ds-2cd2087g2-lu too

Yes - any IPC_G3 camera.

john-ipvm · Sep 20, 2021

We (IPVM) have published a report on the vulnerability and Watchful_IP's report - Hikvision Has "Highest Level of Critical Vulnerability", Impacting 100+ Million Devices

alastairstevenson · Sep 20, 2021

This small excerpt from the IPVM report really underlines the scale and severity of this vulnerability :

We estimate 100+ million devices globally are impacted by this vulnerability making it, by far, the biggest vulnerability to ever hit video surveillance. The combination of its critical nature (9.8 / "zero click unauthenticated remote code execution") and Hikvision's massive market size make this risk unprecedented.

You heard it first on ipcamtalk !

alastairstevenson · Sep 20, 2021

watchful_ip said:
FYI updated IPC_G3 firmware can be found at

DS-2CD2026G2-I(U)

Hikvision DS-2CD2026G2-I(U) 2 MP AcuSense Fixed Mini Bullet Network Camera

www.hikvision.com

It's the one that is not (C) which refers to IPC_G5.

The file naming that Hikvision have used is singularly useless - maybe it means something, but it's not obvious to me :
6d0bf05c-d030-42a1-991d-77d5c376633f.zip

korin1 · Sep 21, 2021

@watchful_ip does that effect hilook aswell?
Subsidiary company of hikvision

@alastairstevenson
wouldn't be better if this post would be in cyber security thread?

watchful_ip · Sep 21, 2021

korin1 said:
@watchful_ip does that effect hilook aswell?
Subsidiary company of hikvision

@alastairstevenson
wouldn't be better if this post would be in cyber security thread?

Hi - I did think about posting in the cyber security thread but I don't think it would have been seen by as many people with Hikvision cameras/NVRs. I'll make a quick post there now, though if that's against forum rules (duplicate post) mods feel free to delete

I'm not familiar with Hilook sorry.

Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

Pulling my weight

Known around here

Known around here

Getting comfortable

n3wb

Known around here

n3wb

Pulling my weight

Getting the hang of it

Pulling my weight

Known around here

Young grasshopper

Pulling my weight