Hikvision, the firm produces security cameras, disc recorders, video codes, and video servers, which are utilized in a variety of businesses and sectors, including critical infrastructure. After a “serious” vulnerability was discovered in millions of cameras from Hikvision, the world’s largest IP camera maker, cyber security experts are advising businesses and home users to upgrade the firmware of their security cameras.
The video security solutions company claims to have addressed the problem as it said in a statement. According to the statement, it has also pushed out a firmware upgrade for end customers based on the security researcher’s recommendations.
According to Hikvision, the fault may affect over 80 items, including versions dating back to 2016. While the firm could not say how many devices were affected, “We estimate 100+ million devices globally are impacted.” says, video surveillance resource IPVM.
The CVE-2021-36260 vulnerability has a critical CVSS rating of 9.8. According to the CVE description, the issue targets “some” Hikvision web servers. Threat actors can conduct a command injection attack by delivering specially constructed malicious instructions due to poor input validation, according to the description.
According to Watchful IP’s blog, the researcher and the firm did not publish technical specifics of the vulnerability or publicly release the proof of concept, citing worries about exploitation in the wild.
This, the researcher says, “is far more access than even the owner of the device has, as they are restricted to a limited ‘protected shell’ (psh), which filters the input to a predefined set of limited, mostly informational commands.”According to the researcher, an attacker may use an unfettered root shell to take complete control of a device. All that is required of an attacker is access to the http server port 80 or the https server port 443. The attack does not require a username or password, nor does it necessitate any activities from the device owner, and it will not be detected by any logging on the device itself, according to the researcher.
In addition to compromising the device completely, effective exploitation allows threat actors to get access to internal networks and penetrate both deeply and laterally, according to the researcher.
An attacker must be on the same network as the vulnerable device to exploit the vulnerability, according to Hikvision’s security warning. According to the study, a threat actor can only exploit the vulnerability and attack a device if they can gain access to the device’s login screen.”
According to the firm, the simplest approach to determine the system risk level is to see if the device’s homepage can be accessed straight from the internet without any additional network variation. “If yes, the system should be considered at high risk,” the advisory says.
Remedy for the cause
In addition to upgrading the device firmware, Hikvision advises users to:
- Reduce the number of port numbers that are exposed to the internet;
- Reconfigure common port numbers to bespoke ports instead of using them.
- IP filtering should be enabled
“I’d recommend you do not expose any IoT device to the internet, no matter who it is made by – or in which country the device is made (including U.S, Europe, etc). Use a VPN for access if needed. Block outbound traffic too if at all possible – I also like to give these devices the wrong gateway (router) IP,” the researchers further added.