Hanwha 1 High and 2 Medium Security Vulnerabilities 2023

bm
bashis mcw
Published May 30, 2023 12:23 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

IPVM discovered 3 vulnerabilities, 1 high and 2 medium severity, during cybersecurity testing of Hanwha IP cameras.

IPVM Image

We reported to Hanwha S-CERT in February 2023 and Hanwha released its camera vulnerability report in April 2023, with an update in May 2023.

This was discovered in our research for IP Camera Cybersecurity Shootout - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview which has more details on Hanwha and other IP camera manufacturers. Also, see the companion report, Cloud IP Camera Cybersecurity Shootout - Ava, Meraki, Rhombus, Verkada.

In this report, IPVM explains the vulnerabilities and provides an analysis of their severity according to the NVD CVSSv3.1 calculator.

Executive Summary

Hanwha said they tried to apply for CVEs from KISA (KrCERT/CC - South Korea CNA) which was denied, while IPVM then applied for CVEs from MITRE and received them within two weeks.

At the time of reporting, the analysis and CVSS severity rating of the vulnerabilities have not been published by NVD. Nonetheless, IPVM provides its own initial analysis and scoring and will update them when NVD releases its official CVSS severity rating.

CVE-2023-31994, CVSSv3.1: 7.5 (high)

This vulnerability allows an attacker to perform a Denial of Service (DoS) without authentication through a UDP nmap scan to the respective service port and does not require sending payload to the camera.

Industry insights delivered to your inbox weekly.

Sign up to get notified of new reports, investigations, research and more.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

WS Discovery and Hanwha's proprietary discovery services for all of Hanwha's cameras were found to be vulnerable, which would break the ability to discover Hanwha devices until the device is rebooted.

CVE-2023-31995, CVSSv3.1: 4.8 (medium)

This vulnerability requires a victim to click on a URL sent by the attacker, log into the device, and then have the payload routed through the vulnerable CGI script back to the victim's browser for execution.

The CGI program imagedownload.cgi was found vulnerable to authenticated reflected cross-site scripting (XSS) in POST requests that could allow an attacker to utilize the vulnerable CGI script to execute malicious code within the victim's web browser.

CVE-2023-31996, CVSSv3.1: 6.5 (medium)

This vulnerability requires knowledge of the administrator password of the device and means the attacker can send an HTTP request to the vulnerable CGI script, and the DefaultFolder parameter contains the payload to be executed in the camera's operating system.

The CGI program system.cgi was found vulnerable to authenticated command injection in its NAS storage test function where the dollar sign '$' and parentheses '()' was not properly filtered out.

Disclosure Process

The disclosure process with Hanwha S-CERT following IPVM's initial contact in February 2023, along with the vulnerability report and proof of concept, went relatively smoothly, with only a few clarifications.

While the communication between IPVM and Hanwha was good, Hanwha's CVE request to KISA (KrCERT/CC - South Korea CNA) was not successful. Hanwha reported that KISA said the CVSS score is too low to be assigned CVE:

We have received a response to our CVE registration request from KISA (KrCERT/CC - South Korea CNA).

According to KISA,

They said that all three vulnerabilities have CVSS scores below the standard (40 points),

making CVE registration impossible.

I don't know if this is KISA's own standard or all CNA's standard,

but it seems impossible to register CVE through KISA.

IPVM responded to Hanwha with our NVD CVSS v3.1 calculations, which we will also share within each CVE section below. Hanwha response:

I forwarded your opinion to KISA and received a reply as attached file.

KISA is still saying that the criteria for CVE registration are not met.

It is said that there is a customized self-evaluation standard based on CVSS,

and it is said that it is impossible to disclose it.

I think registering a CVE at KISA seems impossible.

Please proceed with other CAN and CVE assignment you know of.

Thanks for your help.

The purpose of CVE is to have a unique identifier that facilitates the sharing of information about vulnerabilities between different organizations, security vendors, researchers, and users.

IPVM made then a formal request to MITRE for the CVEs, which were provided within two weeks, which IPVM also shared with Hanwha. Meanwhile, Hanwha published its own vulnerability report.

CVE-2023-31994 - Unauthenticated DoS of WS Discovery and Hanwha proprietary discovery services.

During a standard nmap UDP scan, we observed that both WS Discovery and Hanwha proprietary discovery services ceased to respond. Upon further examination, we discovered that sending an empty UDP packet to the listening service caused the service thread to become unresponsive, leading to a denial-of-service (DoS) scenario.

Meanwhile, the main application continues to accept packets, leading to an increase in memory usage.

The PoC below shows a Nmap UDP scan together with the script 'snmp-info' on ports 3702 and 7701, which effectively sends no data.

Using the built-in debug CGI program revealed that the receive queue (Recv-Q) buffers for UDP ports 7701 and 3702 will remain consistently occupied due to the inactive service thread in the main application.

IPVM Image

IPVM preliminary severity rating is 7.5 (high) by using CVSSv3.1

IPVM will update with official CVSS severity once NVD has analyzed and published its official scoring.

IPVM Image

  • Attack Vector
    • Network, The attack can only be exploited over a network
  • Attack Complexity
    • Low, An attacker can expect repeatable success to exploit.
  • Privileges Required
    • None, Privileges are not required to exploit.
  • User Interaction
    • None, No user interaction is required to exploit.
  • Scope
    • Unchanged, The vulnerable component and impacted component are the same.
  • Confidentially
    • None, The attacker cannot access restricted information on the device.
  • Integrity
    • None, The attacker cannot modify files on the device.
  • Availability
    • High, The attacker can fully deny access to the impacted services.

IPVM Image

CVE-2023-31995 - Authenticated Reflected XSS

In contrast to CVE-2023-31996 command injection, cross-site scripting (XSS) refers to the injection of malicious scripts into web pages, which are then executed by the user's browser. The purpose of filtering in XSS is to prevent the injection of characters such as angle brackets, quotes, and script tags that can be used to break out of the intended HTML context and inject malicious code.

The CGI program /home/setup/imagedownload.cgi was found vulnerable to reflected XSS in POST requests.

The first parameter named "imageData" requires base64-encoded content in the request, where the remote CGI program decodes the content, and the second parameter is named "backupfileData", which does not require base64-encoded content.

IPVM Image

IPVM preliminary severity rating is 4.8 (medium) by using CVSSv3.1

IPVM will update with official CVSS severity once NVD has analyzed and published its official scoring.

IPVM Image

  • Attack Vector
    • Network, The attack can only be exploited over a network.
  • Attack Complexity
    • Low, An attacker can expect repeatable success to exploit.
  • Privileges Required
    • High, The victim must log into the device as the admin user.
  • User Interaction
    • Required, User interaction is required to exploit.
  • Scope
    • Changed, The vulnerable component is the remote CGI script, and the impacted component is the victim's browser.
  • Confidentially
    • Low, Information in the victim's browser associated with the vulnerable CGI script can be read by the malicious JavaScript code and sent to the attacker.
  • Integrity
    • Low, Information in the victim's browser associated with the vulnerable CGI script can be modified by the malicious JavaScript code.
  • Availability
    • None, Exploiting will not affect the availability of device resources.

IPVM Image

CVE-2023-31996 - Authenticated Command Injection

While analyzing the communication between the browser and the IP camera, we discovered a security issue with the NAS storage test function parameter DefaultFolder where the dollar sign '$' and parentheses '()' was not properly filtered out together with a system() call, which allows command injection and execution of arbitrary operating system commands.

These characters are used for command substitution, where the output of a command is inserted into another command. Attackers can exploit this by injecting malicious commands within the parentheses, leading to their execution and system compromise.

The PoC below shows starting the telnet server with the -l parameter to run /bin/sh and thus effectively requires no login procedure, and we get directly into a root shell when telnetting to the device.

IPVM Image

IPVM preliminary severity rating is 6.5 (medium) by using CVSSv3.1

IPVM will update with official CVSS severity once NVD has analyzed and published its official scoring.

IPVM Image

  • Attack Vector
    • Network, The attack can only be exploited over a network
  • Attack Complexity
    • Low, An attacker can expect repeatable success to exploit.
  • Privileges Required
    • High, Logging into the device as the admin user is necessary to exploit.
  • User Interaction
    • None, No user interaction is required to exploit.
  • Scope
    • Unchanged, The vulnerable component and impacted component are the same.
  • Confidentially
    • High, The attacker is able to access restricted information on the device.
  • Integrity
    • High, The attacker is able to modify files on the device.
  • Availability
    • None, Exploiting will not affect the availability of device resources.

IPVM Image

Comments are shown for subscribers only. Login or Join