Italian Trulli

Hikvision (EN), Technical document

List Of Hikvision Devices With Security Error CVE-2021-36260

Posted on by CCTVAPP.NET
09
Sep

Regarding the handling of a security vulnerability in some Hivision IP camera product codes discovered in June 2021, Security Response Center Hikvision Network (HSRC) contacted & worked with a security expert named Watchful IP who discovered this critical vulnerability and followed the standard Coordinated Disclosure Process to patch and be verified successful in limiting the vulnerability. fix this vulnerability.

I. Details of the security hole

  • Code: HSRC-202109-01
  • Edited by: Hikvision Security Response Center (HSRC) -Response Center Hikvision security update.
  • Release Date: 2021-09-19
  • CVE ID (Public Security Bug List Code) : CVE-2021-36260
  • Score: CVSS v3 approved vulnerability score publication(http://www.first.org/cvss /specification-document). Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Temporary Score: 8.8 (E:P/RL:O/RC:C)
  • Exploitability: An attacker has the ability to gain access to the device network or device that has a direct link to the internet.
  • Attacking step: Sends a specially designed message.
  • Information source Vulnerability information: This vulnerability was reported to HSRC by UK security researcher Watchfull IP
  • Description: Command injection vulnerability in the web server of some Hikvision products. In an input validation attack, an attacker can exploit the vulnerability by injecting malicious messages.

II. List of devices with security flaws CVE-2021-36260

NumModelInfluence version
1DS-2CVxxx1
DS-2CVxxx5
DS-2CVxxx6		Version released before June 25, 2021
2IPC-xxxxVersion released before June 25, 2021
3DS-2CD1xx1Version released before June 25, 2021
4DS-2CD1x23
DS-2CD1x43(B)
DS-2CD1x43(C)
DS-2CD1x43G0E
DS-2CD1x53(B)
DS-2CD1x53(C)		Version released before June 25, 2021
5DS-2CD1xx7G0Version released before June 25, 2021
6DS-2CD2xx6G2
DS-2CD2xx7G2		Version released before June 25, 2021
7DS-2CD2x21G0Version released before June 25, 2021
8DS-2CD2xx3G2Version released before June 25, 2021
9DS-2CD3xx6G2
DS-2CD3xx7G2		Version released before June 25, 2021
10DS-2CD3xx7G0EVersion released before June 25, 2021
11DS-2CD3x21G0
DS-2CD3x51G0		Version released before June 25, 2021
12DS-2CD3xx3G2Version released before June 25, 2021
12DS-2CD4xx0
DS-2CD4xx6
DS-2CD5xx7
DS-2CD5xx5
iDS-2XM6810
iDS-2CD6810		Version released before June 25, 2021
14DS-2XE62x7FWD(D)
DS-2XE30x6FWD(B)
DS-2XE60x6FWD(B)
DS-2XE62x2F(D)
DS-2XC66x5G0
DS-2XE64x2F(B)		Version released before June 25, 2021
15DS-2CD7xx6G0
DS-2CD8Cx6G0		Version released before June 25, 2021
16KBA18(C)-83x6FWDVersion released before June 25, 2021
17(i)DS-2DExxxxVersion released before June 25, 2021
18(i)DS-2PTxxxxVersion released before June 25, 2021
19(i)DS-2SE7xxxxVersion released before June 25, 2021
20DS-2DYHxxxxVersion released before June 25, 2021
21DS-DY9xxxxVersion released before June 25, 2021
22PTZ-NxxxxVersion released before June 25, 2021
23DS-2DF5xxxx
DS-2DF6xxxx
DS-2DF6xxxx-Cx
DS-2DF7xxxx
DS-2DF8xxxx
DS-2DF9xxxx		Version released before June 25, 2021
24iDS-2PT9xxxxVersion released before June 25, 2021
25iDS-2SK7xxxx
iDS-2SK8xxxx		Version released before June 25, 2021
26iDS-2SR8xxxxVersion released before June 25, 2021
27iDS-2VSxxxxVersion released before June 25, 2021
28DS-2TBxxx
DS-Bxxxx
DS-2TDxxxxB		Version released before July 2, 2021
29DS-2TD1xxx-xx
DS-2TD2xxx-xx		Version released before July 2, 2021
30DS-2TD41xx-xx/Wx
DS-2TD62xx-xx/Wx
DS-2TD81xx-xx/Wx
DS-2TD4xxx-xx/V2
DS-2TD62xx-xx/V2
DS-2TD81xx-xx/V2		Version released before July 2, 2021
31DS-76xxNI-K1xx(C)
DS-76xxNI-Qxx(C)
DS-HiLookI-NVR-1xxMHxx(C)
DS-HiLookI-NVR-2xxMHxx(C)		V4.30.210 released on December 24, 2021
V4.31.000 released on 5/11/2021
32DS-71xxNI-Q1xx(C)
DS-HiLookI-NVR-1xxMHxx(C)
DS-HiLookI-NVR-1xxHxx(C)		V4.30.300 Released Feb 21, 2021
V4.31.100 released on 5/11/2021

III. Process Firmware Version

Users should download the updated version to guard against this potential vulnerability. The updated version is available on the Hikvision official website.

Download Link : Firmware download

IV. Announcement of Hikvision Vietnam

Accordingly, on September 18,  Hikvision posted Security Notice Regarding Serious Web Server Vulnerabilities in Certain Tokens Hikvision products on the official website. Versions software (firmware) ) immediately updated to fix this issue.

Besides, as a member CVE Numbering Authority (CNA) Hikvision has is committed to continuing to work with third parties who are security researchers and white-hat hackers to find, patch, disclose, and release updates to products in a timely, commensurate manner. as the CVE CNA vulnerability management team.


Contents

Contents (Nội dung)