Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text

Published Aug 28, 2017 14:42 PM

Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond by emailing the admin password in plain text.

This is different than the Hikvision recorder cracked security codes. Because it is for the iVMS-4200, exploiting this vulnerability would provide access to all devices connected to the iVMS-4200 including Hikvision cameras and recorders, as well as any 3rd party cameras connected through those recorders.

In this report we detail the vulnerability, explaining how it can be exploited and the security problems therein.

iVMS-4200 ******** *************

*** ****-**** ****** ******** * "****** Password" ******:

******** "****** ********" ******* ** "********* String", ***** *** ** ******* ** Hikvision ******* *** ******** ******** [**** no ****** *********]:

****** ** **** ** '******* **** dealer', ********* ******* ******* ***** ********* to ** ******* *** ******* ** authentication ** ************.

***** * ***** ****** (~** ******* in *** *******), ********* ******* ****** the ****-**** ******'* ***** ******** ** plain ****:

Multiple ******** *****

***** *** * *** ******** *****:

  • ** ************** *** ************
  • *** ****'* ******** ** ******* **** in ***** ****
  • ** ***** ** ******
  • ******* *********
  • *********** ********* *** ** *******

No ************** *** ************

****** *** *** **** ** ** a ******** **** ****-**** ******** *** get *** ***** ******** ********. ***** is ** *****, ***** ****** ** any ***** ******* ** ****** ** authenticate *** ********* ** **********. **** is ****** *** ****** *********** ******* process.

Plain **** ********

******** *** ******** ** ***** **** is ******* ********* ** ***** ******** practices, **** ***** ***** **** ******** does *** ****** ** **** ***. Anyone *** *** ****** ** **** email, ****** ** *** ******** ** sender's **** *** *** *** ***** password *** *** ******.

No ***** ** ******

**** ******** ******** ******* **** ********* creates **** **** **** **** ******** password ******, ** ** ******** *** actual ***** ******** ** ** ************ person. **** ******** ***** *********, *** admin ******** **** ***** ** * new *****, ******** ******** ********** ***** that ********* *** ** ***** **** their ******** ***** *******.

Reusing *********

***** ******* ********* ****** ******* ** bad ********, ** ** ******. ** the ****** *** ***** *** ****-**** application **** *** **** ***** ******** on ***** ******* ** ************, *** attacker *** *** *** ***** ******** to * ******* ** *******. **** if *** ****-**** ***** ******** ** unique, ********* *** ********* ******** *** provide ***** **** *** *** **** chooses *********, ****** ** ****** ** gain ************ ****** ** ***** *******.

Recoverable ********* *** ** *******

*********'* '********* ******' *** *** ******** can ** *******. ** *********** ******** analyst *** **** ** ********* *** following ******* ***** *** ******* ****** a *** *****:

*** ***** ******** ** ********* **** AES ** *** ****, *** ** then ****** *******, ******* ****** "***" and "***". **** ** *********** *** the **** ** ******* *** ******** upon ******* ***********. *** ** *** mode ** *********** ** * ********* recovery ******, ******** ** ******** ** determine *** *********, ******, *** ******* attack *** **********. ** * ******, the ******** ***** ** **** ** determine *** ***/******** **** *** ********** and ***** **** ******* *** **** trivially.

** *********'* ******** ********** ****** **** cracked, ********* ***** ** ******** ******* the **** ** ******* ********* *******, making ** **** ****** *** ****** for ****-**** ******* ** ** ***********.

Risk ** ********** ** ******** ********* *************

*** ***** ***** ******** ***** ***** the **** **/****-**** ************, ** ** effectively ********** ** ******** ****** *** software **** *****-***** ***** ********* *** admin ******** "********* ******" *** ******* it ** ********* ******* ** ******** the ***** ********.

********* *** ****** ********** **** ********, common ** *********** *** ****** *************, therefore ***** ********** ** **** ** employees ********** ***** ********* ******* **** vulnerability.

Hikvision

**** ***** ********* ** ********* *** other *********/******** **** ****** ** * similar ****** ***** ********* ********* *** recoverable, *** ***** ** * *** for ***** ** ******* *** ******** recovery ** ****-****. ********* *** *********** receipt ** *** *********, *** *** not ***** * ********, ** ************ when * ******** ***** ** ********.

******

***** ********* *** *** ******* ** our ***** (**** ****** ****), **** released * "******* ********" *** ******* version ** ****-**** ***** (****** ****):

Mitigating ******** ******** ****

******* ********* ***** ** ** **** for ** ************ **** ** ******** an ****-**** ***** ********, ***** ** the *********** **** ** ******* ******* unauthorized ****** ** *** ***********. ****** savers **** * **** ***** ******** and ******** ****** *********** ****** ** used ** ******* ************ ***** **** launching *** *** *** ********** *** password ***** ****.

Hikvsion **** ******** ********

****** ********* ****** ** "********** *** importance ** *********** ********" [**** ** longer *********], ***** ******* *********** ***** otherwise. *************** **** **** ***** ***********'* ****** ***,***** ********,*******/*********, *** *** ** ***********. ***** continuous *************** **** **** *** ******* does *** ***** *********** ********/***** ******** as * *** ********, ****** * responsive ******* ** ********* ******** ** managing *********** ********. ** ** ****** likely **** ***** ******* *****, **** as ****** ******* ** *********, **** similar *************** **** *** ********* ** risk. ***** ** ********* ******** ** software ****** ******** ***** ******** **********, and *** *********** ******* ** ******* against ******** *** ******** ******* *************.

Comments (11)
UI
Undisclosed Integrator #1
Aug 28, 2017

(Insert Hikvision Special Bulletin security fix email here) 

Avatar
Brian Karas
Aug 28, 2017
IPVM

While Hikvision did not respond to our email (sent August 24th), they released a "Special Bulletin" and updated version of iVMS-4200 today (August 28th):

 

iVMS-4200 Updated Software Download 

(2)
Avatar
Brian Karas
Aug 28, 2017
IPVM

In addition to removing the "Forgot Password" function, Hikvision has stopped issuing password recovery requests. A request submitted after this report was released received the following response from Hikvision:

The response did not make it clear that the function/support was removed, nor did they recommend downloading the latest release with the "upgraded security structure".

 

 

(1)
MC
Marty Calhoun
Sep 03, 2017
IPVMU Certified

Moot Point

Enterprise level customers would not be using the iVMS4200 platform, it is more realistic to use Hik-Central.

U
Undisclosed #2
Sep 03, 2017
IPVMU Certified

...it is more realistic to use Hik-Central.

Is that even a VMS?

MC
Marty Calhoun
Sep 04, 2017
IPVMU Certified

It is a CMS solution. Centralized Management System not to be confused with a VMS OR  iVMS-4200.

Go ahead throw water on it, blame the Chinese government, blame all cyber-security problems over the last (10) years on Hik, throw the Kitchen sink at it, bring up everything that has been resolved but god forbid a non-partisan discussion of the software and its abilities without the 'Headline of the week' approach.

 

(1)
JH
John Honovich
Sep 03, 2017
IPVM

Marty,

Hik-Central was just released in the past few months which means very few customers, enterprise or otherwise are using Hik-Central.

Btw, what security vulnerability testing has Hik-Central been put through?

U
Undisclosed #2
Sep 04, 2017
IPVMU Certified

Enterprise level customers would not be using the iVMS4200 platform, it is more realistic to use Hik-Central. - M.C.

... very few customers, enterprise or otherwise are using Hik-Central. - J.H.

Both of these cannot be true, unless Hikvision has very few enterprise customers.

JH
John Honovich
Sep 04, 2017
IPVM

Marty is implying that enterprise level customers should be using Hik-Central.

Whether they should use Hik-Central or not, it just reached general availability less than 2 months ago:

So the reality is, regardless of what their customers should be using, overwhelming customers, enterprise or not, are using iVMS-4200 since Hik-Central is brand new.

Of course, raising Hik-Central is simply a smokescreen to the fact that Hikvision's poor cybersecurity policy allowed emailing admin passwords in plain test. 

U
Undisclosed #2
Sep 04, 2017
IPVMU Certified

Marty is implying that enterprise level customers should be using Hik-Central.

And so the Point only should be Moot.

JH
John Honovich
Sep 03, 2017
IPVM

Moot Point

How would it be a 'moot point' to send admin passwords in plain text to anyone?

Marty, you are welcome to say what you want but these type of responses reinforces that Hikvision and their dealers are not serious about cyber security and engage in shameful excuses.

(1)