Regarding the handling of a security vulnerability in some Hivision IP camera product codes discovered in June 2021, Security Response Center Hikvision Network (HSRC) contacted & worked with a security expert named Watchful IP who discovered this critical vulnerability and followed the standard Coordinated Disclosure Process to patch and be verified successful in limiting the vulnerability. fix this vulnerability.
I. Details of the security hole
- Code: HSRC-202109-01
- Edited by: Hikvision Security Response Center (HSRC) -Response Center Hikvision security update.
- Release Date: 2021-09-19
- CVE ID (Public Security Bug List Code) : CVE-2021-36260
- Score: CVSS v3 approved vulnerability score publication(http://www.first.org/cvss /specification-document). Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Temporary Score: 8.8 (E:P/RL:O/RC:C)
- Exploitability: An attacker has the ability to gain access to the device network or device that has a direct link to the internet.
- Attacking step: Sends a specially designed message.
- Information source Vulnerability information: This vulnerability was reported to HSRC by UK security researcher Watchfull IP
- Description: Command injection vulnerability in the web server of some Hikvision products. In an input validation attack, an attacker can exploit the vulnerability by injecting malicious messages.
II. List of devices with security flaws CVE-2021-36260
Num | Model | Influence version |
---|---|---|
1 | DS-2CVxxx1 DS-2CVxxx5 DS-2CVxxx6 | Version released before June 25, 2021 |
2 | IPC-xxxx | Version released before June 25, 2021 |
3 | DS-2CD1xx1 | Version released before June 25, 2021 |
4 | DS-2CD1x23 DS-2CD1x43(B) DS-2CD1x43(C) DS-2CD1x43G0E DS-2CD1x53(B) DS-2CD1x53(C) | Version released before June 25, 2021 |
5 | DS-2CD1xx7G0 | Version released before June 25, 2021 |
6 | DS-2CD2xx6G2 DS-2CD2xx7G2 | Version released before June 25, 2021 |
7 | DS-2CD2x21G0 | Version released before June 25, 2021 |
8 | DS-2CD2xx3G2 | Version released before June 25, 2021 |
9 | DS-2CD3xx6G2 DS-2CD3xx7G2 | Version released before June 25, 2021 |
10 | DS-2CD3xx7G0E | Version released before June 25, 2021 |
11 | DS-2CD3x21G0 DS-2CD3x51G0 | Version released before June 25, 2021 |
12 | DS-2CD3xx3G2 | Version released before June 25, 2021 |
12 | DS-2CD4xx0 DS-2CD4xx6 DS-2CD5xx7 DS-2CD5xx5 iDS-2XM6810 iDS-2CD6810 | Version released before June 25, 2021 |
14 | DS-2XE62x7FWD(D) DS-2XE30x6FWD(B) DS-2XE60x6FWD(B) DS-2XE62x2F(D) DS-2XC66x5G0 DS-2XE64x2F(B) | Version released before June 25, 2021 |
15 | DS-2CD7xx6G0 DS-2CD8Cx6G0 | Version released before June 25, 2021 |
16 | KBA18(C)-83x6FWD | Version released before June 25, 2021 |
17 | (i)DS-2DExxxx | Version released before June 25, 2021 |
18 | (i)DS-2PTxxxx | Version released before June 25, 2021 |
19 | (i)DS-2SE7xxxx | Version released before June 25, 2021 |
20 | DS-2DYHxxxx | Version released before June 25, 2021 |
21 | DS-DY9xxxx | Version released before June 25, 2021 |
22 | PTZ-Nxxxx | Version released before June 25, 2021 |
23 | DS-2DF5xxxx DS-2DF6xxxx DS-2DF6xxxx-Cx DS-2DF7xxxx DS-2DF8xxxx DS-2DF9xxxx | Version released before June 25, 2021 |
24 | iDS-2PT9xxxx | Version released before June 25, 2021 |
25 | iDS-2SK7xxxx iDS-2SK8xxxx | Version released before June 25, 2021 |
26 | iDS-2SR8xxxx | Version released before June 25, 2021 |
27 | iDS-2VSxxxx | Version released before June 25, 2021 |
28 | DS-2TBxxx DS-Bxxxx DS-2TDxxxxB | Version released before July 2, 2021 |
29 | DS-2TD1xxx-xx DS-2TD2xxx-xx | Version released before July 2, 2021 |
30 | DS-2TD41xx-xx/Wx DS-2TD62xx-xx/Wx DS-2TD81xx-xx/Wx DS-2TD4xxx-xx/V2 DS-2TD62xx-xx/V2 DS-2TD81xx-xx/V2 | Version released before July 2, 2021 |
31 | DS-76xxNI-K1xx(C) DS-76xxNI-Qxx(C) DS-HiLookI-NVR-1xxMHxx(C) DS-HiLookI-NVR-2xxMHxx(C) | V4.30.210 released on December 24, 2021 V4.31.000 released on 5/11/2021 |
32 | DS-71xxNI-Q1xx(C) DS-HiLookI-NVR-1xxMHxx(C) DS-HiLookI-NVR-1xxHxx(C) | V4.30.300 Released Feb 21, 2021 V4.31.100 released on 5/11/2021 |
III. Process Firmware Version
Users should download the updated version to guard against this potential vulnerability. The updated version is available on the Hikvision official website.
Download Link : Firmware download
IV. Announcement of Hikvision Vietnam
Accordingly, on September 18, Hikvision posted Security Notice Regarding Serious Web Server Vulnerabilities in Certain Tokens Hikvision products on the official website. Versions software (firmware) ) immediately updated to fix this issue.
Besides, as a member CVE Numbering Authority (CNA) Hikvision has is committed to continuing to work with third parties who are security researchers and white-hat hackers to find, patch, disclose, and release updates to products in a timely, commensurate manner. as the CVE CNA vulnerability management team.