Hanwha Recorder Vulnerability Analyzed

By Brian Karas, Published May 18, 2017, 12:00am EDT

ICS-CERT has released a vulnerability notice for Hanwha SRN-4000 recorders

Hanwha provided additional information to IPVM about this issue, including other models impacted by the same vulnerability that are not listed on the ICS-CERT release. In this report we provide details on the vulnerability, affected products, and firmware builds for these products to resolve this vulnerability.

Vulnerability ********

*** **** ************ ******:

* ********* ******* **** request *** ******** ***** allow ** ******** ** gain ****** ** *** device ********** **** **** admin ********** ******* ****** authentication.

****** **** **** **** ************* is ***** ** ***** cached ** * ********/******* from * ***** ***** admin ***** *******. **** claim **** ** ***** be *********** ********** *** an ******** *** *** not ********** ****** ********** access ** *** ******** through * ****** ***** to ******** **** ************* on * ****** ********.

** ** *******, * random ******** ******* * list ** ****** ********* on****** ***** *** ******* **** vulnerability ** **** "**** door" ****** ** ***** systems.

** ****** **** ** noted **** ** **** never ****** ****** *********, and ****** ***** ** dispute ****.

Units ********

******'* ***-**** ******** [**** ** longer *********] ** ****** ** the **** **** ********, though ****** *** ********* that *** ********* ****** all ****** **** *** the *** ********* *** were ********* ********:

  • ***-**** ******** ***** ** v2.16_170401
  • ***-***** ******** ***** ** v1.08_160811
  • ***-**** ******** ***** ** **.*********
  • ***-**** ******** ***** ** **.*********

******'* ************* ******, ***** **** *** sending ** *********, *** additional *******.

******** *** *** ******** units *** ** ********** from Hanwha's ******* ******** ****** [link ** ****** *********].

Hanwha ***** ******** *** ****

********* ** ******, **** were ***** ******** ***** this ***** ** *** 2016. ******** ****** *** vulnerability *** *** ***-****/***/**** models *** ******** ** August ****, *** ***-**** firmware *** *** ******* at *** **** ****, due ** ******** ******** constraints, *** *** **** released ** ***** ****. To ***** ******, ****** was *********** **** ******* surrounding *** ********* *** release *********, *** *** acknowledge **** ***-**** ******** patches ****** **** **** addressed ** *** **** time ** *** ***** units.

Pledge ****** ******* ** *** ******

****** **** **** *** adding * *************-******** ******* to ***** *******, *** are ********* ** ****** reaction *** ************ ***** for *** ****** *********.

Vulnerability ******/**********

****** **** ************* ** ***** a*********** ***** ** *.* by ***-****, *** ********* ** the **** ** ***** it *** ** ********, the *********** **** * user **** ********** ************ logged **** *** ******** limits **** **** ***** exploited ** ****** *********. Additionally, ******'* ********* *** less ******* **** ***** cameras, *** ** ******** the ***** ****** ** affected ***** ** ** in *** **'* ** thousands (** **********, ****** manufacturers **** ****** **** millions ** *******). ***** customers ****** *** **** this ** * ****** to ***** ********* ******** updates, *** ******** **** to ***** ** ***** recorders, *** *** ******** at ***** ** ***** than *************** **** ***** any ****** ******** ** access * ******.

Call *** ***********

** *** **** ******* have ********** *********** ** the *************, ********** ************* Hanwha's ***********, ****** ******* or ***** ** (****@****.***) and ** **** *********** that.

 

Comments (16)

Robert Shih

Independent
05/18/17 06:49pm

Notice how much less of a reaction this is getting from everyone, both from proponents and opponents. Hanwha is much less polarizing than Hik or Dahua and is much less in the spotlight these days, but these reporters are still doing their job and reporting on them. While in a few days or weeks, when the next Hikvision or Dahua scandal comes out, shills will complain that somehow the coverage from IPVM is unfair and they don't report on anyone else's problems.

This again, clearly shows that Chinese manufacturers have a persecution complex going on.

Agree: 9
Disagree: 1
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Robert Shih | 05/18/17 07:37pm

Hanwha helped themselves by talking to us and providing input. Of course, that they had an actual explanation helped.

As I have mentioned previously, Hikvision has refused to formally speak to us for over a year, on anything. Ironically, just yesterday a company we had covered mentioned that IPVM was responsive listening and incorporating feedback from them in response to Hikvision criticizing us. I made a comment there that Hikvision is the one who refuses and we are open to talking to them. Hikvision deleted my comment.

Agree
Disagree
Informative: 1
Unhelpful
Funny: 1

Undisclosed Manufacturer #1

In reply to John Honovich | 05/18/17 09:27pm

I can't believe this article. this is such a super big giant Roving Turret of Disparagement and Denigration.

Agree
Disagree
Informative
Unhelpful
Funny: 8

Undisclosed Integrator #3

In reply to John Honovich | 05/18/17 11:14pm

John could this be a potential vulnerability with HiSillicon based firmware? It seems like a very scary pattern IMO. 

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Karas

IPVM | In reply to Undisclosed Integrator #3 | 05/18/17 11:40pm

From what Hanwha described of this vulnerability it does not sound like the HiSilicon vulnerabilities, which were buffer overflow and directory traversal exploits.

As for the pattern we are seeing, I think that more end-users, integrators, researchers and others are becoming aware of the number of internet-connected security devices, and the potential for exploit. This is leading to more vulnerabilities being discovered and reported for many vendors.

 

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

Marty Calhoun

IPVMU Certified | In reply to Brian Karas | 05/19/17 10:17am

Im curious as this is categorized as a 'vulnerability' but the last HIKVISION incident was described as a 'back door'. What is the IPVM position on the difference between the two? Just curious, please no government or partial owner affiliation with the Government.

Agree
Disagree
Informative
Unhelpful: 1
Funny
Avatar

Brian Karas

IPVM | In reply to Marty Calhoun | 05/19/17 11:45am

The Hikvision incident was also described as a vulnerability, and the vulnerability type was a "backdoor".

The Hikvision and Dahua vulnerabilities that were described as backdoors were ones in which any person armed with knowledge of the vulnerabilities could use it to gain admin-level access to any device they could connect to.

This Hanwha vulnerability is one where session data is not properly deleted from the PC (or from the recorder itself), allowing a person who already logged in as an admin to access the device again without going through standard authentication.

The Hikvision/Dahua backdoor was a weakness open to anyone, the Hanwha exploit listed here requires someone to have already had admin access.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

Undisclosed Manufacturer #4

In reply to Undisclosed Integrator #3 | 05/19/17 04:48am

HiSilicon firmware SDK gives a Linux kernel the base libraries for all hardware IO. but does not have it's own web browser functions. Or any samples / sources to develop on, you got to do this yourself!

It seems this is where the network security products fall over, as the developers have -100 skills on security, and rush everything to market so their boss can order the latest Mercedes or BMW

Backdoors with secret passwords based on dates etc are common and normal.

buffer overflows, lack of SSL, poor certificate handling, almost zero checks, cookies which stay long than cookie monster can eat.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny: 2

Undisclosed Integrator #2

In reply to Undisclosed Manufacturer #4 | 05/19/17 07:08am

Or any samples / sources to develop on, you got to do this yourself!

This statement makes me wonder much of our industry is based on copy/pasting sample code and then modifying from there?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #3

In reply to Undisclosed Integrator #2 | 05/19/17 06:56pm

A good portion of this industry's software is probably based off of C&P Code. One of the key things I was taught while getting my computer science degree is you don't reinvent the wheel. 

"Reuse, Recycle, and Return to Gethub" - Direct quote from Professor. 

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #2

In reply to Robert Shih | 05/18/17 11:00pm

Hanwha also doesn't have any unofficial spokesmen on here throwing accusations of persecution going on either.  I posit that makes the backlash against Hikvision much more pronounced.

Agree: 5
Disagree
Informative
Unhelpful
Funny

Undisclosed Distributor #5

In reply to Robert Shih | 05/19/17 09:30am

I've mentioned a few times how Dahua and Hik content like this is made a Public article, this one is not. I'm sure there is a way to spin the choice, but it could be spun two ways.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #6

In reply to Undisclosed Distributor #5 | 05/19/17 02:30pm

I think it has to do with how widespread the issue is.  The H & D issues effected millions of devices.  The Hanwha issue effects thousands or tens of thousands of units.  A different scale of magnitude.  Furthermore this, effects a limited number of models from a specific time period, vs. dozens of models spanning years of production.

Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed Distributor #5 | 05/19/17 02:44pm

Dahua and Hik content like this is made a Public article, this one is not

Incorrect.

For example, here two recent Hikvision vulnerability posts that are member's only: Hikvision Privilege-Escalating Security Vulnerability and Hikvision Cloud Security Vulnerability Uncovered. And the Dahua backdoor one was half member's only including the test report.

I am sure you would like to 'spun' it pro-Hikvision because you are a Hikvision distributor.

Listen, if you or anyone can get proof that this Hanwha vulnerability is NOT "based on files cached in a computer/browser from a prior valid admin login session", we will happily run it as 'front page' public news. Right now, with what we know that makes it quite limited.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #7

In reply to Robert Shih | 05/19/17 03:45pm

Hanwha supporters, such as myself, are not as tacky as Hik and Dahua supports.  That's not to say that we aren't tacky in our own right, we're just not that tacky.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Eddie Perry

05/22/17 01:09pm

Look what Saw on the home page there that pooped up this weekend

 

On the home page............

 

 

Hanwha_Main page

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,890 reports, 921 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports