Subscriber Discussion

DHS Issues ICS-CERT Advisory Towards Hikvision - New Vulnerability Found?

UI
Undisclosed Integrator #1
May 04, 2017

Reading this Article, appears a new vulnerability was found in Hikvision Cameras? Anyone have any info on this one? 

 

https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01

 

(3)
U
Undisclosed #2
May 04, 2017

Passwords located within config files?

(1)
(1)
(1)
EP
Eddie Perry
May 04, 2017

Pffft....

"Hikvision has released updates to mitigate the improper authentication vulnerability in cameras sold through authorized distributers. Hikvision has not mitigated the password in configuration file vulnerability."

 

"ATTENTION: Remotely exploitable/low skill level to exploit."

 

Time for some damage control Paging hik-shills come on comrades time to save the peoples security camera business.

U
Undisclosed #3
May 04, 2017
IPVMU Certified

Hikvision has not mitigated the password in configuration file vulnerability.

Bad.   But how does one get to see the configuration file?

RS
Robert Shih
May 04, 2017
Independent

This sounds suspiciously like the Dahua version of the problem.

Avatar
Brian Karas
May 04, 2017
IPVM

This CERT listing says it was reported by Montecrypto, it is most likely what triggered Hikvision's recent Security Vulnerability Notice.

Looking into this further, will post as we find more details.

 

Avatar
Sean Nelson
May 04, 2017
Nelly's Security

pretty certain this is just a reiteration of what has already been discussed. but it will for sure make an IPVM headline.

(1)
MC
Marty Calhoun
May 04, 2017
IPVMU Certified

We’re pleased to announce that Hikvision’s successful progress on a privilege-escalating vulnerability has been acknowledged by ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Specifically, ICS-CERT has recognized that on March 15, 2017 Hikvision released the fixed firmware version 5.4.5 to address the user privilege-escalation vulnerability.

This is very positive, not a threat to customers. Typical IPVM trashing HIKVISION for no cause.

 

The headline should read:

What other company has INVITED ICS to their house for a review?

 

 

(1)
(2)
Avatar
Brian Karas
May 04, 2017
IPVM

"We’re pleased to announce"

Marty, who is "we" in this context? Are you now officially speaking for Hikvision? (serious question).

"This is very positive, not a threat to customers. Typical IPVM trashing HIKVISION for no cause."

It's a huge threat to customers, simply releasing firmware does not magically patch the many thousands of affected devices in the field that are vulnerable.

"Typical IPVM trashing HIKVISION for no cause."

If you look up at the top, you will see this discussion was started by an integrator, not IPVM staff. And it was not trashing Hikvision, just someone legitimately concerned and looking for additional detail on this critical vulnerability.

"What other company has INVITED ICS to their house for a review?"

Hikvision did not invite anyone in for a review, an independent researcher found a significant flaw that a company that wants to call itself a "leader" in the industry should have been able to catch on their own, or more realistically, never release in the first place.

We will release a full report on this next week, but this is a very severe issue, it is not positive for Hikvision, it makes the company look bad to anyone who is concerned about cybersecurity, or concerned about Hikvision's ability to deliver enterprise-grade products.

(4)
U
Undisclosed #3
May 04, 2017
IPVMU Certified

This is very positive...

Yes, its rated a very "positive" +8.8 on a scale of 1 to 10 by ice-cert, where 10 is as bad as they come.

(2)
UI
Undisclosed Integrator #1
May 04, 2017

" Typical IPVM trashing HIKVISION for no cause."

Really Marty? I'm a Hikvision dealer, I posted this because "MY CUSTOMERS" get this bulletin, I wasn't sure how I should respond to them. So before I hid under my desk in the fetal position with my hands over my ears, I decided to post this article to ask the well informed IPVM community if this is a new vulnerability or not. 

And Security vulnerabilities and published exploits are a real pain in my butt, because I have to perform remediations on them in addition the to 500 + other things that are on my list... So kind of a big deal in my world, and I have to document that everyone of the Hikvision cameras I installed have had their firmware updated. 

(4)
Avatar
Guillaume Poirier
May 05, 2017
IPVMU Certified

I agree.

 

It is often a blaming game. People are blaming manufacturers, instead of blaming installers - who do not configure their devices properly.

For example Panasonic cameras were used by a Russian hacking website, since the installer didn't change the password. Even the camera shows: "Change Password". Can you blame the Russians or Panasonic? Why is nobody blaming the installer?!

http://www.cbc.ca/news/canada/nova-scotia/rankin-school-students-security-video-camera-russian-website-1.2762291

 

Avatar
Jon Dillabaugh
May 04, 2017
Pro Focus LLC

This is what was discovered a month two months ago that lead to them releasing firmware 5.4.5 to address the most pressing issue, Improper Authentication.

The second part has yet to be resolved, which is the password being stored in an encrypted config file in the device memory. If a use has access to this file, they could possibly decrypt the file and gain access to the credentials. However, they would need this level of authentication to gain access to the file to begin with.

To say this is nothing would be foolish. But, not realizing this was old news would be silly too.

JH
John Honovich
May 04, 2017
IPVM

not realizing this was old news would be silly too.

Surely we will debate whether this is 'old' or 'fake' news next week. Brian is reviewing the advisory in detail tomorrow and will plan a report for next week.

To be clear, what is news here are (1) the details of how it can be done (recall Hikvision obscured and downplayed it in March), (2) that the US Department of Homeland Security issued an advisory and (3) the high / critical scores given to this.

Avatar
Sean Nelson
May 04, 2017
Nelly's Security

Looks like the Dahua vulnerability was listed same day as well:
https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02


Appears this was simply reported to the ICS all at once most likely

U
Undisclosed #3
May 04, 2017
IPVMU Certified

The million dollar question, posed by someone who goes by "john-ipvm", is can an anonymous viewing account us this flaw to escalate to root.  

Since anonymous viewing is easy to discover and often enabled, this would make the vulnerability far worse, essentially a remote-root exploit for those devices.

 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions