The Cybersecurity and Infrastructure Security Agency (CISA) announced Tuesday the presence of a critical ‘Command Injection’ vulnerability in the webserver of some Hikvision cameras. Due to insufficient input validation, an attacker can potentially exploit the vulnerability to launch a command injection attack by sending a specially crafted message with malicious commands.
Given the deployment of these cameras at sensitive sites potentially even critical infrastructure is at risk, according to a notice from Watchful IP. The vulnerability was reported to Hikvision Security Response Center (HSRC) by UK security researcher Watchful IP.
Watchful IP described it as a zero-click unauthenticated remote code execution (RCE) vulnerability affecting a high number of Hikvision cameras, thereby putting connected internal networks at risk.
Tracked as CVE-2021-36260, the vulnerability has been found across at least 79 different models of networked Hikvision cameras. The security loophole permits an attacker to gain full control of a device with an unrestricted root shell, which is far more access than even the owner of the device has as they are restricted to a limited ‘protected shell’ (psh), which filters the input to a predefined set of limited, mostly informational commands. In addition to complete compromise of the IP camera, internal networks can then be accessed and attacked.
CISA has advised users and administrators to review Hikvision’s Security Advisory and apply the latest firmware updates. The updated firmware that fixes the problem of the vulnerability found in Hikvision cameras has been available on the company’s website.
In an HSRC security notification, the attacker has access to the device network or the device with a direct interface with the internet and can send a specially crafted message.
“Firmware from as long ago as 2016 has been tested and found to be vulnerable. Only access to the http(s) server port (typically 80/443) is needed. No username or password needed nor any actions need to be initiated by camera owner. It will not be detectable by any logging on the camera itself,” it added.
Having discovered the vulnerability on Jun. 20, Watchful IP reported the presence of the RCE vulnerability to Hikvision on the next day. According to the notice, the researcher “wrote a full report to them identifying the problem code, the device types affected, POC and recommendations for resolution.”
Hikvision said that to exploit this vulnerability, an attacker must be on the same network as the vulnerable device. In other words, if the attacker can view the log-in screen of a vulnerable device, they could attack it. If they cannot get to the login screen of a vulnerable device, they are not able to exploit the vulnerability.
To evaluate the risk level of a vulnerable device, check if the affected model exposes its http/https servers (typically 80/443) directly to the Internet (WAN), which would give a potential attacker the ability to attack that device from the Internet, it added.
As far as we know, there’s no public proof of concept or any malicious use of this vulnerability to date, Hikvision said. “However, now that the patch has been released and attackers know that this vulnerability exists, they will be searching for it. If you have an affected camera/NVR whose http(s) service is directly exposed to the Internet, Hikvision highly recommends you to patch your device immediately (recommended), and using a more secure solution, like a VPN,” according to Hikvision.
Hikvision is among the list of communications equipment and services that have been deemed a threat to U.S. national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019. The list was released by the Federal Communications Commission’s Public Safety and Homeland Security Bureau in March this year.
The list includes five Chinese companies that produce telecommunications equipment and services that have been found to pose an unacceptable risk to U.S. national security, or the security and safety of U.S. persons. Apart from Hikvision, the other companies on the list include Huawei Technologies, ZTE, Hytera Communications, and Dahua Technology.
A cybersecurity expert recently asked the Federal Energy Regulatory Commission (FERC) to direct the North American Electric Reliability Corporation (NERC) to conduct a comprehensive survey of all registered entities in the bulk power systems (BPS) to determine what Chinese equipment or systems are currently in use in the BPS, and how they are being used.
The equipment identified can be also used in many other critical infrastructure sectors, including water and wastewater systems, pipelines, oil and gas, and manufacturing, Joe Weiss identified in a blog post earlier this month, following submission of his motion to intervene and comment, in a FERC complaint on the buying of critical equipment from the People’s Republic of China in the U.S. BPS and electric grid.