Vulnerability Impacting 400,000 Hikvision And OEM Devices Online

IT
IPVM Team
Published Dec 01, 2022 13:36 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

IPVM has verified that a Hikvision Ezviz vulnerability (CVE-2022-2472) disclosed in September 2022 also impacts Hikvision branded (and OEM) cameras with ~400,000 still vulnerable devices publicly accessible, checked on Shodan.

IPVM Image

Hikvision responded, verifying our findings, saying that Hikvision products currently on sale are not impacted. No fix is available for these devices, which primarily are from 2015 or earlier, though we found some OEMs with newer released devices impacted. This vulnerability is critical as it allows a remote user, unauthenticated, to obtain the device's admin username and password.

While no proof of concept was provided for CVE-2022-2472, IPVM was able to determine how the vulnerability worked, verified it on 2022 Ezviz cameras, and then was able to verify it on various Hikvision cameras as well. The full details and IPVM's proof of concept for the vulnerability are available to IPVM Research Subscribers.

While Ezviz models require cloud connectivity to Hikvision, preventing remote execution of the vulnerability, with Hikvision and OEM models (that do not require this), one is able to exploit the vulnerability remotely over the Internet to obtain the admin username and password without authentication, which is a critical vulnerability.

When we originally asked Bitdefender why they hide from the public that Ezviz was a Hikvision brand and whether they verified this on Hikvision models they deflected the former question and retorted the latter was "presumptuous"

We share your understanding that EZVIZ is a Hikvision brand. The three Hikvision camera models we subsequently analyzed (HWC-C220-D/W, DS-2CD2141G1-IDW1D, HWC-P120-D/W) did not share the vulnerabilities published in our EZVIZ research. Based on this we believe any further inferences on Hikvision product integrity impact would be presumptuous and anecdotal.

After we explained our findings, Bitdefender called this a good example of building on existing research:

The three Hikvision camera models we subsequently analyzed (HWC-C220-D/W, DS- 2CD2141G1-IDW1D, HWC-P120-D/W) did not share the vulnerabilities published in our EZVIZ research. However, if the same vulnerabilities were found in other models, it is a good example of the security community building on existing research and knowledge to help better secure environments and we applaud these efforts.

Hikvision responded to IPVM by saying:

Per our examination at this stage, products currently on sale by Hikvision are not affected by the CVE-2022-2472 vulnerability, nor are the products currently supplied to OEM customers. We are still working on further investigation.

The software variances we found across different Hikvision devices raise questions about errors and design challenges, though we find no evidence of this being malicious nor state-sponsored by Hikvision's owner, the PRC government.

The full details and IPVM's proof of concept for the vulnerability are available to IPVM Research Subscribers.