Hikvision, a Chinese manufacturer of video surveillance equipment, recently patched a backdoor in a slew of its cameras that could have made it possible for a remote attacker to gain full admin access to affected devices. The backdoor stems from two bugs: an improper authentication bug and a password in configuration file vulnerability. Both bugs could have allowed an attacker to escalate privileges and access sensitive information. The United States Computer Emergency Readiness Team (US-CERT) disclosed the vulnerabilities in an advisory on Friday, assigning the highest possible CVSS rating, 10.0 to the improper authentication vulnerability. The password in configuration file issue, meanwhile, received a high severity 8.8 rating. The warning reiterates a bulletin the company, which is partially owned by the Chinese government, sent customers in March. In the notice, Hikvision warned that request code could be used to access certain IP cameras directly. From there, it could be possible for an attacker to escalate user privileges, and “acquire or tamper with device information.” The company provided firmware updates for seven lines of cameras at the time, the same updates US-CERT pointed out on Friday:
An independent researcher who goes by the handle “Montecrypto” first disclosed the backdoor in a post to the forum IPCamTalk in early March saying it “makes it possible to gain full admin access to the device.” At the time, he gave the company two weeks to “come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed.” Montecrypto confirmed the privilege escalation aspect of the vulnerability the same day the company warned of the issue, acknowledging an attacker could remotely escalate their privileges “from anonymous web surfer to admin.” The researcher promised to disclose details around his findings on March 20, two weeks after he initially disclosed, but retreaded on that decision after making contact with the company. “Per agreement with Hikvision I am delaying the disclosure,” Montecrypto wrote, “Hikvision promised to responsibly disclose and resolve the vulnerability. They are working with ICS-CERT and other organizations, and it is expected that more details will be communicated soon via those channels. If nothing is communicated in the next few weeks, I will proceed with full disclosure.” According to IVPM, a video surveillance publication that’s been keeping track of the vulnerabilities, it’s believed the bugs affect millions of cameras, “given Hikvision’s own regular declarations of shipping tens of millions of cameras.” According to the company, until customers apply the respective firmware patch, the following cameras are still vulnerable:
Hikvision, via US-CERT, warned customers Friday that trying to update some “grey market” cameras – devices sold through unauthorized channels, thus with unauthorized firmware – could result in complications. “Updating the firmware may result in converting the camera’s interface back to its original state. Users of ‘grey market’ cameras who cannot update due to this unauthorized firmware will still be susceptible to these vulnerabilities.” While Hikvision fixed the improper authentication vulnerability it has yet to fix the password in the configuration file vulnerability, US-CERT points out. The company did not immediately return a request for comment on Monday when asked if it was planning on fixing the issue. Several years ago, Hikvision, in an effort to better secure its products, contracted the security firm Rapid7 to carry out a penetration test and vulnerability assessment of its IP cameras, embedded recorders, and software tools. That partnership was spurred after Rapid7 identified a series of vulnerabilities, buffer overflows that allowed the remote execution of arbitrary code, in Hikvision DVRs in 2014. It’s unclear how long since the audit the vulnerabilities identified in March have existed in Hikvision cameras. The Hikvision advisory comes a day after US-CERT warned of a similar set of vulnerabilities in IP cameras and digital video recorders manufactured by another Chinese company, Dahua. The company told customers and partners in early March the vulnerabilities were caused called “a small piece of code.” Bashis, an independent researcher, found the issues, a backdoor that allowed remote unauthorized admin access via the web, and disclosed them via the Full Disclosure mailing list on March 6. A spokesman from Dahua confirmed the information in US-CERT’s advisory early Monday and said that customers can download updated firmware from the “Device Upgrade Kit” section of the company’s website to mitigate the vulnerabilities. The post Hikvision Patches Backdoor in IP Cameras appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/hikvision-patches-backdoor-in-ip-cameras/
0 Comments
Leave a Reply. |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |