Description
Security researchers from Watchful_IP have observed vulnerability in the majority of Hikvision cameras which are susceptible to unauthenticated remote code execution (RCE) vulnerability, despite having the latest firmware.
Summary
The vulnerability found by Watchfull_IP researchers can see an unauthenticated attacker obtaining full access to the device, with the possibility of performing lateral movement into internal networks.
How it works
The researchers from Watchfull_IP found the vulnerability to be listed under CVE-2021-36260 which could allow an unauthenticated attacker to login and gain full access to the device, with the possibility of performing lateral movement into internal networks.
The vulnerability allows a cybercriminal to surpass the regular level of access the owner of the device is granted, due to the owner being controlled by a limited protect shell (psh) which filters the input to a predefined set of limited international commands.
The researcher further emphasises that vulnerability has been in existence since 2016. An attacker just requires access to the Hypertext Transfer Protocol Secure (HTTPS) server port number (port 80/443), in the absence of a username or password and neither any actions are required from the camera owner. Due to this kind of attack vector, the attack will be undetected by any logging on the camera itself. The nature of this attack can see an attacker exploiting the vulnerability by launching a command injection attack through specially crafted commands being sent in the form of messages.
For more information on this vulnerability, kindly follow this URL:
Remediation
While not all Hikvision cameras have been provided with the latest firmware to combat such attacks, Hikvision has recommended CCTV camera owners to do the following:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Insecure Hikvision Security Cameras Can Be Taken Over Remotely.pdf
References