Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

Bink

Getting the hang of it
Joined
May 25, 2017
Messages
72
Reaction score
26
Those look to be IPC_R0 and IPC_R6 and you should be fine.
It appears R6 is vulnerable? From someone who reached out to Hikvision UK:
Hikvision UK said:
Yes, your model is not on the initial list of affected cameras, but in reality, this issue will affect almost all Hikvision cameras as most of them are not running firmware with a build time more recent than 210625 (25th June 2021). If you go back to that vulnerability post you will see that I have updated the fixed firmware table today with more models that were not on the initial list.

Currently, Hikvision has not published a fixed firmware for R6 cameras (2x22FWD, 2x42FWD) like the one you have, but there should be a new version posted in the next couple of days.

I should also point out that we are based in the UK so all the firmware I have linked to in that table is from the UK & EU portals and those versions may not be compatible with US camera models.

If you can't get a response from US Hikvision support then I would just keep monitoring the product page because the fixed firmware should be posted publicly soon.
 

watchful_ip

Pulling my weight
Joined
Nov 24, 2019
Messages
218
Reaction score
176
Location
london
Only device types I found to be exploitable were in the report.

Though I'm not beyond making a mistake - if you check the github commits you'll see I barely know how to put a page together without loads of errors :p Couldn't even get my email address right.....

I suck

I'm not able to provide more info than is the report though, so if I don't address points here, or reply even in private that's why - no offense is intended to anybody.

An as aside, there's a free cybersecurity course they've put out:

Hikvision Cybersecurity Course

In it Hikvision recommend not to expose IoT devices to the Internet, and to put them on a separate part of the network that's restricted. That's advice I can definitely agree with.
 
Last edited:

user8963

Known around here
Joined
Nov 26, 2018
Messages
1,113
Reaction score
1,707
Location
Christmas Island
It seems that the new firmware removes the feature to link the LEDs to motion detection on model 2047G2 and 2087G2 .
Its only available in version 5.5.114

This is ridiculous.

before:
before.png

after update:
after.png
 

Mtv

n3wb
Joined
Jan 31, 2021
Messages
16
Reaction score
5
Location
Netherlands
It seems that the new firmware removes the feature to link the LEDs to motion detection on model 2047G2 and 2087G2 .
Its only available in version 5.5.114

This is ridiculous.

before:
View attachment 102631

after update:
View attachment 102632
This (5.5.114) is regarding that firmware based on G5 (C) models and has the led lights into it ;-) I'm not sure if 5.5.800 (for the remove of the vulnerabilities) for the firmware based on G3 (non-C) models also remove the LED part. That was for sure the case in de (C) model firmware, but i haven't installed this new firmware on my G3 firmware devices.

Then hikvision made it very difficult also to bring out 5.5.800 for the G3 firmware. while they earlier did that numbering only for the G5 firmware (C models).

regarding G5 (C) : 5.5.800 and 5.5.801 removes the led light, and 5.5.114 restores it. The vulnerability is still in the 5.5.114. @watchful_ip
regarding G3 (non-C) 5.5.800 G3 is to remove the vulnerability, the ledlight option has not been removed @ljw2k
 
Last edited:

watchful_ip

Pulling my weight
Joined
Nov 24, 2019
Messages
218
Reaction score
176
Location
london
If the build date is before 21 June 2021 when I reported it, then IPC_G3/IPC_G5 is vulnerable.

Though if it's not accessible on the Internet, and no access to your internal network is possible, then you're not really at any significant risk.
 
Last edited:

tinkerbear

n3wb
Joined
May 27, 2015
Messages
2
Reaction score
0
Those look to be IPC_R0 and IPC_R6 and you should be fine.

A good rule of thumb, is to check the Hikvision's Global Firmware site, and if there's new firmware for your camera there apply it (assuming it's a non-imported camera).
I note that HikVision has posted a new firmware for the R0 cameras on the European site, 3 days ago. The previous update was in 2017. I'm wondering if they're not listed as vulnerable because they're considered obsolete products? Or maybe there's a closely-related error they've decided to fix.

It'd be nice to have a testing tool... which I expect can't happen until everyone's had a chance to install new firmware.

EDIT: I've installed that new firmware on both my "International English" R0 cameras, and it appears to be running just fine. (One of them is originally the Chinese version de-bricked and forced to international by a lovely hack from these here forums.) No new features, but then I would assume they only fixed what needed fixing.
 
Last edited:

dimo

Young grasshopper
Joined
Apr 30, 2019
Messages
32
Reaction score
11
Location
world
Thank you both very much, watchful_ip and alastairstevenson.

Does anybody know if DS-7716NXI-I4/S, 1st Generation Acusense NVR is affected?
Hikvision has an update only for 3rd Generation Acusense (C) at latest firmware.
In fact has 2 times DS-7716NXI-I4/S linked to the same firmware update V4.40.815_210709, only for (C).
Nothing at EU portal.

aaaaa.JPG

Also did you notice any malfunction upgrading from 5.5.160_210416 to V5.5.800 build210628 at G3 platform(2XX6G2 no ISU / SL)?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,624
Reaction score
5,627
Location
Scotland
The use-ip.co.uk forum has some useful chat on this big vulnerability.
Use-IP have very helpfully started populating a table of models against updated firmware.
Check the posts above this one, also the update Hikvision notifications here :

 

watchful_ip

Pulling my weight
Joined
Nov 24, 2019
Messages
218
Reaction score
176
Location
london
Last edited:

watchful_ip

Pulling my weight
Joined
Nov 24, 2019
Messages
218
Reaction score
176
Location
london
All credit to @watchful_ip - all I did was provide the testing ground.
Way more than that!

@alastairstevenson was a HUGE help. He kept my confidence on this for a long time before this went public, and though there were things I couldn't share even with him, his support was invaluable. A large amount of credit goes to him but he's too modest to accept it and probably would prefer I didn't mention it :)
 
Last edited:

nutt318

Young grasshopper
Joined
Jul 28, 2015
Messages
51
Reaction score
18
Nice job on finding this!

Question, anyway of knowing that a OEM Supplier of HIK USA firmware is patched?

I contacted our reseller we've purchased many CompanyBrand(Hikvision) cameras from but their serials and model numbers are different that ones listed on the CVE. They told me that their OEM line not Hik USA and therefore not compatible with hik firmware or the vulnerability. However they have a hikvision login page when going to the camera. Sooo..... I'd love to see if these rebranded Hikvisions are vulnerable even though they've stated otherwise.
 

watchful_ip

Pulling my weight
Joined
Nov 24, 2019
Messages
218
Reaction score
176
Location
london
Is there a "Firmware Version Property" field in System Settings | Basic Information ?

If there is it should give an indication as to the type of device firmware it uses.
 

nutt318

Young grasshopper
Joined
Jul 28, 2015
Messages
51
Reaction score
18
Is there a "Firmware Version Property" field in System Settings | Basic Information ?

If there is it should give an indication as to the type of device firmware it uses.
Here is a screenshot
2021-09-29_15h36_50.png
 

nutt318

Young grasshopper
Joined
Jul 28, 2015
Messages
51
Reaction score
18
Awesome, now I see how to reference your guide and the correlation on firmware versions, so the IPC_XX or IPD_XX matches the version property listed on the camera settings page?
 
Top