Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

korin1 said:
does that effect hilook aswell?
Click to expand...

Yes. Hilook cameras generally start with IPC- prefix, e.g., see screencap attached from Value Cameras The Hikvision disclosure says "IPC-xxxx" are impacted. I don't know all the model numbering of Hilook but minimally those IPC- ones are listed as impacted.

Related, Hiwatch, another Hikvision sub-brand is impacted as Hikvision includes HWI-xxxx, which is the general prefix for Hiwatch cameras.
 

Attachments

  • hilook.jpg
    hilook.jpg
    90.7 KB · Views: 21
Last edited:
  • Like
Reactions: mat200, sebastiantombs and alastairstevenson
watchful_ip said:
Hi - I did think about posting in the cyber security thread but I don't think it would have been seen by as many people with Hikvision cameras/NVRs. I'll make a quick post there now, though if that's against forum rules (duplicate post) mods feel free to delete :)

I'm not familiar with Hilook sorry.
Click to expand...
Perhaps mods can move it .

I can find a hilook device if you'd like , so you can try and see if this effect them aswell

Anyhow good job
 
  • Like
Reactions: sebastiantombs and watchful_ip
I have the following cameras - can anyone confirm whether or not they're impacted? Based on this list of impacted models listed here I think none of them are impacted but I want a sanity check to make sure I'm not misreading something:
DS-2CD2332-I
DS-2CD3332-I
DS-2CD2312-I
DS-2CD2542FWD
 
Those look to be IPC_R0 and IPC_R6 and you should be fine.

A good rule of thumb, is to check the Hikvision's Global Firmware site, and if there's new firmware for your camera there apply it (assuming it's a non-imported camera).

And as I said in my report, it is not recommended to put any IoT device made by anyone directly on the Internet if it's avoidable.
 
  • Like
Reactions: tinkerbear, mat200 and sebastiantombs
alastairstevenson said:
Be aware though that on the R0 cameras, any firmware that's older than 5.4.5 will have the 'Hikvision backdoor' vulnerability making it readily hacked if exposed.
Click to expand...

3-4 year old firmware..

This all depends on be able to download the configuration file no?
 
The write-up specifically notes this affects the HTTP/HTTPS ports. Anyone know if this has any effect on the camera’s “Server” and/or RTSP ports? Typically ports 8000 and 554, respectively.
 
Bink said:
The write-up specifically notes this affects the HTTP/HTTPS ports. Anyone know if this has any effect on the camera’s “Server” and/or RTSP ports? Typically ports 8000 and 554, respectively.
Click to expand...

"Only access to the http(s) server port (typically 80/443) is needed. "
 
Bink said:
The write-up specifically notes this affects the HTTP/HTTPS ports. Anyone know if this has any effect on the camera’s “Server” and/or RTSP ports? Typically ports 8000 and 554, respectively.
Click to expand...

In general, if a product has a webserver it can be running on the typical ports .. 80, 8000, 8080 .. often I see systems which have less resources only using one webserver software for multiple ports ..
( as well as the usual https ports )
 
  • Like
Reactions: sebastiantombs and Bink
Wooooo ... as a network/security admin in a previous life, this is some serious sh*t ...
That is an EXCELLENT report @watchful_ip - well done ... and the community (and hopefully Hikvision) thanks you.

It's a bit confusing trying to figure out exactly what models/firmware is affected.
For example, I have a DS-2CD2735FWD-IZS running firmware 5.6.3 (190923)
That specific model is NOT in the "xx" model list ... plus 5.6.3 appears to be "newer" that the affected firmware's of (mostly) 5.5.xxxx

But just to be sure I check Hikvision's firmware ... ummmmm ... can't see anything for the 2735 (oversight?) ... but there IS firmware for the very similar 2725 and 2745 (confirms the oversight?) that is Firmware_V5.6.6_210625 ... so I'm of the opinion that I should apply this - yes?
 
  • Like
Reactions: mat200, alastairstevenson, sebastiantombs and 1 other person
alekk said:
Wooooo ... as a network/security admin in a previous life, this is some serious sh*t ...
That is an EXCELLENT report @watchful_ip - well done ... and the community (and hopefully Hikvision) thanks you.

It's a bit confusing trying to figure out exactly what models/firmware is affected.
For example, I have a DS-2CD2735FWD-IZS running firmware 5.6.3 (190923)
That specific model is NOT in the "xx" model list ... plus 5.6.3 appears to be "newer" that the affected firmware's of (mostly) 5.5.xxxx

But just to be sure I check Hikvision's firmware ... ummmmm ... can't see anything for the 2735 (oversight?) ... but there IS firmware for the very similar 2725 and 2745 (confirms the oversight?) that is Firmware_V5.6.6_210625 ... so I'm of the opinion that I should apply this - yes?
Click to expand...

Thanks :)

That looks to be an IPC_G1 camera, and as such is fine.

Affected IP Camera Firmware Types
 
Last edited:
  • Like
Reactions: mat200, bashis and Bink
Thanks @watchful_ip ... although I was surprised that Hikvision has recent firmware for that G1 - link to European Portal (and release notes there show it applies to the 2735).

Another camera I have is the 5526G0 ... which I believe (?) is in the H3 family. That also appears NOT to be affected ... so maybe I dodged a bullet on this one!
Good thing since that specific camera is an early model and won't take upgrades beyond 5.5.91 ... I did ask Hikvision and they said sent it back and pay for service to possibly fix.
 
  • Like
Reactions: watchful_ip
  • Like
Reactions: mat200, sebastiantombs, watchful_ip and 1 other person
Only access to the http(s) server port (typically 80/443) is needed.

I'm concluding from this statement that this particular vulnerability does not apply to P2P. Correct?
 
You must log in or register to reply here.
Top Bottom