Hanwha Recorder Vulnerability Analyzed

Avatar
Brian Karas
Published May 18, 2017 04:00 AM

ICS-CERT has released a vulnerability notice for Hanwha SRN-4000 recorders

Hanwha provided additional information to IPVM about this issue, including other models impacted by the same vulnerability that are not listed on the ICS-CERT release. In this report we provide details on the vulnerability, affected products, and firmware builds for these products to resolve this vulnerability.

Vulnerability ********

*** **** ************ ******:

* ********* ******* **** ******* *** response ***** ***** ** ******** ** gain ****** ** *** ****** ********** page **** ***** ********** ******* ****** authentication.

****** **** **** **** ************* ** ***** on ***** ****** ** * ********/******* from * ***** ***** ***** ***** session. **** ***** **** ** ***** be *********** ********** *** ** ******** who *** *** ********** ****** ********** access ** *** ******** ******* * normal ***** ** ******** **** ************* on * ****** ********.

** ** *******, * ****** ******** finding * **** ** ****** ********* on****** ***** *** ******* **** ************* ** gain "**** ****" ****** ** ***** systems.

** ****** **** ** ***** **** we **** ***** ****** ****** *********, and ****** ***** ** ******* ****.

Units ********

******'* ***-**** ******** [**** ** ****** *********] ** listed ** *** **** **** ********, though ****** *** ********* **** *** following ****** *** ****** **** *** the *** ********* *** **** ********* impacted:

  • ***-**** ******** ***** ** **.*********
  • ***-***** ******** ***** ** **.*********
  • ***-**** ******** ***** ** **.*********
  • ***-**** ******** ***** ** **.*********

******'* ************* ******, ***** **** *** ******* ** customers, *** ********** *******.

******** *** *** ******** ***** *** be ********** **** ******'* ******* ******** ****** [link ** ****** *********].

Hanwha ***** ******** *** ****

********* ** ******, **** **** ***** notified ***** **** ***** ** *** 2016. ******** ****** *** ************* *** the ***-****/***/**** ****** *** ******** ** August ****, *** ***-**** ******** *** not ******* ** *** **** ****, due ** ******** ******** ***********, *** was **** ******** ** ***** ****. To ***** ******, ****** *** *********** with ******* *********** *** ********* *** release *********, *** *** *********** **** SRN-4000 ******** ******* ****** **** **** addressed ** *** **** **** ** the ***** *****.

Pledge ****** ******* ** *** ******

****** **** **** *** ****** * cybersecurity-specific ******* ** ***** *******, *** are ********* ** ****** ******** *** notification ***** *** *** ****** *********.

Vulnerability ******/**********

****** **** ************* ** ***** ************ ***** ** *.* ** ***-****, *** ********* ** *** **** in ***** ** *** ** ********, the *********** **** * **** **** previously ************ ****** **** *** ******** limits **** **** ***** ********* ** random *********. ************, ******'* ********* *** less ******* **** ***** *******, *** we ******** *** ***** ****** ** affected ***** ** ** ** *** 10's ** ********* (** **********, ****** manufacturers **** ****** **** ******** ** cameras). ***** ********* ****** *** **** this ** * ****** ** ***** immediate ******** *******, *** ******** **** to ***** ** ***** *********, *** the ******** ** ***** ** ***** than *************** **** ***** *** ****** attacker ** ****** * ******.

Call *** ***********

** *** **** ******* **** ********** information ** *** *************, ********** ************* Hanwha's ***********, ****** ******* ** ***** us (****@****.***) *** ** **** *********** that.

 

Comments (16)
RS
Robert Shih
May 18, 2017
Independent

Notice how much less of a reaction this is getting from everyone, both from proponents and opponents. Hanwha is much less polarizing than Hik or Dahua and is much less in the spotlight these days, but these reporters are still doing their job and reporting on them. While in a few days or weeks, when the next Hikvision or Dahua scandal comes out, shills will complain that somehow the coverage from IPVM is unfair and they don't report on anyone else's problems.

This again, clearly shows that Chinese manufacturers have a persecution complex going on.

(9)
(1)
JH
John Honovich
May 18, 2017
IPVM
In reply to Robert Shih

Hanwha helped themselves by talking to us and providing input. Of course, that they had an actual explanation helped.

As I have mentioned previously, Hikvision has refused to formally speak to us for over a year, on anything. Ironically, just yesterday a company we had covered mentioned that IPVM was responsive listening and incorporating feedback from them in response to Hikvision criticizing us. I made a comment there that Hikvision is the one who refuses and we are open to talking to them. Hikvision deleted my comment.

(1)
(1)
UM
Undisclosed Manufacturer #1
May 18, 2017
In reply to John Honovich

I can't believe this article. this is such a super big giant Roving Turret of Disparagement and Denigration.

(8)
UI
Undisclosed Integrator #3
May 18, 2017
In reply to John Honovich

John could this be a potential vulnerability with HiSillicon based firmware? It seems like a very scary pattern IMO. 

Avatar
Brian Karas
May 18, 2017
IPVM
In reply to Undisclosed Integrator #3

From what Hanwha described of this vulnerability it does not sound like the HiSilicon vulnerabilities, which were buffer overflow and directory traversal exploits.

As for the pattern we are seeing, I think that more end-users, integrators, researchers and others are becoming aware of the number of internet-connected security devices, and the potential for exploit. This is leading to more vulnerabilities being discovered and reported for many vendors.

 

(1)
(1)
MC
Marty Calhoun
May 19, 2017
IPVMU Certified
In reply to Brian Karas

Im curious as this is categorized as a 'vulnerability' but the last HIKVISION incident was described as a 'back door'. What is the IPVM position on the difference between the two? Just curious, please no government or partial owner affiliation with the Government.

(1)
Avatar
Brian Karas
May 19, 2017
IPVM
In reply to Marty Calhoun

The Hikvision incident was also described as a vulnerability, and the vulnerability type was a "backdoor".

The Hikvision and Dahua vulnerabilities that were described as backdoors were ones in which any person armed with knowledge of the vulnerabilities could use it to gain admin-level access to any device they could connect to.

This Hanwha vulnerability is one where session data is not properly deleted from the PC (or from the recorder itself), allowing a person who already logged in as an admin to access the device again without going through standard authentication.

The Hikvision/Dahua backdoor was a weakness open to anyone, the Hanwha exploit listed here requires someone to have already had admin access.

(1)
(2)
UM
Undisclosed Manufacturer #4
May 19, 2017
In reply to Undisclosed Integrator #3

HiSilicon firmware SDK gives a Linux kernel the base libraries for all hardware IO. but does not have it's own web browser functions. Or any samples / sources to develop on, you got to do this yourself!

It seems this is where the network security products fall over, as the developers have -100 skills on security, and rush everything to market so their boss can order the latest Mercedes or BMW

Backdoors with secret passwords based on dates etc are common and normal.

buffer overflows, lack of SSL, poor certificate handling, almost zero checks, cookies which stay long than cookie monster can eat.

(1)
(1)
(2)
UI
Undisclosed Integrator #2
May 19, 2017
In reply to Undisclosed Manufacturer #4

Or any samples / sources to develop on, you got to do this yourself!

This statement makes me wonder much of our industry is based on copy/pasting sample code and then modifying from there?

UI
Undisclosed Integrator #3
May 19, 2017
In reply to Undisclosed Integrator #2

A good portion of this industry's software is probably based off of C&P Code. One of the key things I was taught while getting my computer science degree is you don't reinvent the wheel. 

"Reuse, Recycle, and Return to Gethub" - Direct quote from Professor. 

UI
Undisclosed Integrator #2
May 18, 2017
In reply to Robert Shih

Hanwha also doesn't have any unofficial spokesmen on here throwing accusations of persecution going on either.  I posit that makes the backlash against Hikvision much more pronounced.

(5)
UD
Undisclosed Distributor #5
May 19, 2017
In reply to Robert Shih

I've mentioned a few times how Dahua and Hik content like this is made a Public article, this one is not. I'm sure there is a way to spin the choice, but it could be spun two ways.

UM
Undisclosed Manufacturer #6
May 19, 2017
In reply to Undisclosed Distributor #5

I think it has to do with how widespread the issue is.  The H & D issues effected millions of devices.  The Hanwha issue effects thousands or tens of thousands of units.  A different scale of magnitude.  Furthermore this, effects a limited number of models from a specific time period, vs. dozens of models spanning years of production.

JH
John Honovich
May 19, 2017
IPVM
In reply to Undisclosed Distributor #5

Dahua and Hik content like this is made a Public article, this one is not

Incorrect.

For example, here two recent Hikvision vulnerability posts that are member's only: Hikvision Privilege-Escalating Security Vulnerability and Hikvision Cloud Security Vulnerability Uncovered. And the Dahua backdoor one was half member's only including the test report.

I am sure you would like to 'spun' it pro-Hikvision because you are a Hikvision distributor.

Listen, if you or anyone can get proof that this Hanwha vulnerability is NOT "based on files cached in a computer/browser from a prior valid admin login session", we will happily run it as 'front page' public news. Right now, with what we know that makes it quite limited.

UM
Undisclosed Manufacturer #7
May 19, 2017
In reply to Robert Shih

Hanwha supporters, such as myself, are not as tacky as Hik and Dahua supports.  That's not to say that we aren't tacky in our own right, we're just not that tacky.

(1)
EP
Eddie Perry
May 22, 2017

Look what Saw on the home page there that pooped up this weekend

 

On the home page............

 

 

Hanwha_Main page