Security Notification- Buffer Overflow Vulnerability in Some Hikvision IP Cameras

[fenderman]

A buffer overflow vulnerability in the web server of some Hikvision IP Cameras allows an attacker to send a specially crafted message to affected devices. Due to the insufficient input validation, successful exploit can corrupt memory and lead to arbitrary code execution or crash the process.

Security Notification- Buffer Overflow Vulnerability in Some Hikvision IP Cameras - Hangzhou Hikvision Digital Technology Co. Ltd.

 

[alastairstevenson]

It's good to see the proper Security Notification for this - much more professional than it used to be.
It would have been interesting to see how they'd respond if the vulnerability had been in the older EOL products as opposed to the new ones with the re-written firmware.

 

[dealpapa]

crying. my DS-2CD2032F-I will not ever get update any more.

I just update my DS-2CD2035-I to IPC_G0_CN_STD_5.5.53_180716, it seems not fix the problem. crying again.

 

[Bink]

I just update … to IPC_G0_CN_STD_5.5.53_180716, it seems not fix the problem.

How do you know the problem is not resolved?

 

[Bink]

For what it's worth, it looks like the full technical details of the vulnerability will be released in 90 days:
Response to Hikvision’s recent publication regarding a vulnerability found by VDOO researchers

This same group has recently found vulnerabilities in Foscam, Axis and other IoT devices.

 

[gpower07]

UPDATED ALL CAMS.

 

[Mike]

Good to know, thanks for sharing.

 

[Raymond G]

I'm curious how you all are using these cameras that such a vulnerability matters. All of my cameras connect directly to my NVRs. Only the NVR is connected to rest of the network. It would seem that such an issue would be limited to devices that has direct access to the camera and I struggle to see a situation where that would make sense. I suppose if you're using something like BlueIris it would be more common to have them sitting directly on the network but in those cases wouldn't it be more simplistic to buy a small switch and isolate the devices from your network?

I'm not trying to over speak or out technical anyone I'm genuinely curious if there is something I'm missing or a use case I'm just not familiar with where this is an issue.

 

[dealpapa]

How do you know the problem is not resolved?

who cares? just keep crying. lol

 

[fenderman]

I'm curious how you all are using these cameras that such a vulnerability matters. All of my cameras connect directly to my NVRs. Only the NVR is connected to rest of the network. It would seem that such an issue would be limited to devices that has direct access to the camera and I struggle to see a situation where that would make sense. I suppose if you're using something like BlueIris it would be more common to have them sitting directly on the network but in those cases wouldn't it be more simplistic to buy a small switch and isolate the devices from your network?

I'm not trying to over speak or out technical anyone I'm genuinely curious if there is something I'm missing or a use case I'm just not familiar with where this is an issue.

you are mistaken...there is no greater risk of this vulnerability when using something like blue iris even if sitting on the same network...the vulnerability requires that the camera be port forwarded or that your network is compromised in which case you have bigger problems...as noted you can isolate the cameras and/or simply block internet access.
also note that even with an nvr there are several methods of having direct access to the camera from the lan the NVR sits on. here is one example Hikvision POE LAN segment - access to cameras without virtual host or extra wiring.

 

[alastairstevenson]

here is one example Hikvision POE LAN segment - access to cameras without virtual host or extra wiring.

haha!
That's an old one, nearly 4 years back!
When I was just starting out poking around with these things.

 

[SouthernYankee]

I am not concerned. All my cameras are on a separate sub net into the Blue Iris PC. Cameras are all hardwired. I access blue iris from a VPN. No port forwarding.

 

[Raymond G]

you are mistaken...there is no greater risk of this vulnerability when using something like blue iris even if sitting on the same network....

I guess I was giving a bit too much credibility to the separation. But I do feel like that method you listed still relates to a weakness in the NVR as it requires root level access to the NVR to perform. For clarity I understand that having the NVR up to date would be important but without a known weakness in that box it seems the separation (and thus the protection) would stand.

Re-reading your response I think we fundamentally agree and I understand. I was trying to communicate that on a BlueIris type setup that would be where you would likely be fearful of such a security issue as those people were more likely to connect to a 'multi-use' network.

Again. Please know that I am here to learn and do not think that I'm attempting to challenge anyone's knowledge of these systems.

 

[fenderman]

I guess I was giving a bit too much credibility to the separation. But I do feel like that method you listed still relates to a weakness in the NVR as it requires root level access to the NVR to perform. For clarity I understand that having the NVR up to date would be important but without a known weakness in that box it seems the separation (and thus the protection) would stand.

Re-reading your response I think we fundamentally agree and I understand. I was trying to communicate that on a BlueIris type setup that would be where you would likely be fearful of such a security issue as those people were more likely to connect to a 'multi-use' network.

Again. Please know that I am here to learn and do not think that I'm attempting to challenge anyone's knowledge of these systems.

yes we do agree that this is a non issue if the cameras are not port forwarded....however i disagree that there is inherently more risk on a BI setup even when using it on a basic network. First it would require the cameras be port forwarded, which is not needed on a BI setup. Second and perhaps more importantly you are assuming that folks are home running the cameras to the NVR and that the NVR has a built in poe. That is not necessarily the case.

 

[Raymond G]

you are assuming that folks are home running the cameras to the NVR and that the NVR has a built in poe. That is not necessarily the case.

Yes. I was making that assumption.

I wasn't intending to imply an issue with BI but less specifically the nature of having a system where there wasn't a box to plug the cameras directly into; leading many people to connect their cameras on their existing switches; thereby side-by-side with internet connected devices.

If they are sharing a switch and there are no VLANs or other separation (amazing the setups some people have in their house) they would be obviously wide open.

So it sounds like I was inline with my thinking but there are scenarios where the NVR could be an attack vector for the cameras.

 

[alastairstevenson]

But I do feel like that method you listed still relates to a weakness in the NVR as it requires root level access to the NVR to perform.

Not any more.
My post pre-dated the implementation of the 'Virtual Host' facility in the NVR firmware.
It's now very simple to gain full access to NVR-POE-ports-connected cameras, and for them to connect to the internet.

For clarity I understand that having the NVR up to date would be important but without a known weakness in that box it seems the separation (and thus the protection) would stand.

There is no real separation with Virtual Host, which is a genuinely useful feature, active.

 

[fenderman]

Yes. I was making that assumption.

I wasn't intending to imply an issue with BI but less specifically the nature of having a system where there wasn't a box to plug the cameras directly into; leading many people to connect their cameras on their existing switches; thereby side-by-side with internet connected devices.

If they are sharing a switch and there are no VLANs or other separation (amazing the setups some people have in their house) they would be obviously wide open.

So it sounds like I was inline with my thinking but there are scenarios where the NVR could be an attack vector for the cameras.

the NVR itself is a vulnerability...remember the same geniuses that wrote the code for the camera wrote it for the NVR...its really simple, dont expose any of it and the risk is exactly the same regardless of what recording option you use.

 

[Raymond G]

Not any more.
There is no real separation with Virtual Host, which is a genuinely useful feature, active.

So i've read more about this and it appears that it simply enables port forwarding on the NVR as you would on any router. So if you're using it for occasional configuration and maintenance you could simply leave it off and enable when needed. Other than an annoying reboot to contend with; potentially two if you wanted to disable it gain.

the NVR itself is a vulnerability...remember the same geniuses that wrote the code for the camera wrote it for the NVR...its really simple, dont expose any of it and the risk is exactly the same regardless of what recording option you use.

I disagree with that statement. If you have a typical network setup where a firewall is protecting and switch and NVR with NVR connected cameras. Having the NVR is tantamount to have a second firewall for the cameras. Again stipulating there may be issues on the NVR but the cameras are behind what is realistically two firewalls.

The same scenario without a NVR would mean those cameras were parallel with the recording system unless other steps had been taken to isolate them.

If the NVR itself is suspect the only methods to protect would be air-gap separation to another network, firewalls between LAN and NVR (with cameras behind NVR) or physically disconnected system (which isn't realistic these days). Having the NVR atleast limits the number of threat vectors if it doesn't limit the nature or type of them.

 

[fenderman]

I disagree with that statement. If you have a typical network setup where a firewall is protecting and switch and NVR with NVR connected cameras. Having the NVR is tantamount to have a second firewall for the cameras. Again stipulating there may be issues on the NVR but the cameras are behind what is realistically two firewalls.

The same scenario without a NVR would mean those cameras were parallel with the recording system unless other steps had been taken to isolate them.

If the NVR itself is suspect the only methods to protect would be air-gap separation to another network, firewalls between LAN and NVR (with cameras behind NVR) or physically disconnected system (which isn't realistic these days). Having the NVR atleast limits the number of threat vectors if it doesn't limit the nature or type of them.

Once again you are completely missing the point and that is, if the cameras are not port forwarded they are not subject to the vulnerability and the same goes to for the NVR. You are not any more protected by your "second firewall" than you would be without it as there is zero threat. I referenced the NVR vulnerability to highlight the fact it to must NEVER be exposed to the net as it is subject to vulnerabilities as we have seen over and over again in the past.
So once again, you get ZERO benefit of the NVR if there is no port forwarding going on and if there is, you are exposed to essentially the same threat because they NVR's are hacked all the time. The solution as discussed here is to use a VPN. If you are port forwarding your NVR you are making a big mistake. If you are not port forwarding the NVR and cams you get no benefit from your "second firewall".

 

[alastairstevenson]

So i've read more about this and it appears that it simply enables port forwarding on the NVR as you would on any router

Don't confuse the Linux 'ip_forward' capability with a router 'port forward' capability - they are not the same thing, though there is some similarity.
In the router, there is a NATed firewall between the interfaces that you can apply exception rules to.
In the NVR, there is just a logical switch to allow or disallow all traffic to traverse any network interfaces it provides.

Having the NVR is tantamount to have a second firewall for the cameras.

It's certainly not a firewall, and best not to think of it as one.
The NVR firmware is potentially just as vulnerable as the camera firmware to exploits that the developers have missed.
That's why it should not be exposed to the internet any more than the cameras should be.