Hikvision, a Chinese manufacturer of video surveillance equipment, recently patched a backdoor in a slew of its cameras that could have made it possible for a remote attacker to gain full admin access to affected devices.
The backdoor stems from two bugs: an improper authentication bug and a password in configuration file vulnerability. Both bugs could have allowed an attacker to escalate privileges and access sensitive information.
The United States Computer Emergency Readiness Team (US-CERT) disclosed the vulnerabilities in an advisory on Friday, assigning the highest possible CVSS rating, 10.0 to the improper authentication vulnerability. The password in configuration file issue, meanwhile, received a high severity 8.8 rating.
The warning reiterates a bulletin the company, which is partially owned by the Chinese government, sent customers in March. In the notice, Hikvision warned that request code could be used to access certain IP cameras directly. From there, it could be possible for an attacker to escalate user privileges, and “acquire or tamper with device information.” The company provided firmware updates for seven lines of cameras at the time, the same updates US-CERT pointed out on Friday:
- DS-2CD2xx2F-I Series
- Updated firmware: V5.4.5 build 170123 and later
- DS-2CD2xx0F-I Series
- Updated firmware: V5.4.5 Build 170123 and later
- DS-2CD2xx2FWD Series
- Updated firmware: V5.4.5 Build 170124 and later
- DS- 2CD4x2xFWD Series
- Updated firmware: V5.4.5 Build 170228 and later
- DS-2CD4xx5 Series
- Updated firmware: V5.4.5 Build 170302 and later
- DS-2DFx Series
- Updated firmware: V5.4.9 Build 170123 and later
- DS-2CD63xx Series
- Updated firmware: V5.4.5 Build 170206 and later
An independent researcher who goes by the handle “Montecrypto” first disclosed the backdoor in a post to the forum IPCamTalk in early March saying it “makes it possible to gain full admin access to the device.” At the time, he gave the company two weeks to “come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed.”
Montecrypto confirmed the privilege escalation aspect of the vulnerability the same day the company warned of the issue, acknowledging an attacker could remotely escalate their privileges “from anonymous web surfer to admin.”
The researcher promised to disclose details around his findings on March 20, two weeks after he initially disclosed, but retreaded on that decision after making contact with the company.
“Per agreement with Hikvision I am delaying the disclosure,” Montecrypto wrote, “Hikvision promised to responsibly disclose and resolve the vulnerability. They are working with ICS-CERT and other organizations, and it is expected that more details will be communicated soon via those channels. If nothing is communicated in the next few weeks, I will proceed with full disclosure.”
According to IVPM, a video surveillance publication that’s been keeping track of the vulnerabilities, it’s believed the backdoor affects millions of cameras, “given Hikvision’s own regular declarations of shipping tens of millions of cameras.”
According to the company, until customers apply the respective firmware patch, the following cameras are still vulnerable:
- DS-2CD2xx2F-I Series
- 2.0 build 140721 to V5.4.0 build 160530
- DS-2CD2xx0F-I Series
- 2.0 build 140721 to V5.4.0 Build 160401
- DS-2CD2xx2FWD Series
- 3.1 build 150410 to V5.4.4 Build 161125
- DS- 2CD4x2xFWD Series
- 2.0 build 140721 to V5.4.0 Build 160414
- DS-2CD4xx5 Series
- 2.0 build 140721 to V5.4.0 Build 160421
- DS-2DFx Series
- 2.0 build 140805 to V5.4.5 Build 160928
- DS-2CD63xx Series
- 0.9 build 140305 to V5.3.5 Build 160106
Hikvision, via US-CERT, warned customers Friday that trying to update some “grey market” cameras – devices sold through unauthorized channels, thus with unauthorized firmware – could result in complications.
“Updating the firmware may result in converting the camera’s interface back to its original state. Users of ‘grey market’ cameras who cannot update due to this unauthorized firmware will still be susceptible to these vulnerabilities.”
While Hikvision fixed the improper authentication vulnerability it has yet to fix the password in the configuration file vulnerability, US-CERT points out.
Hikvision, when reached Monday, rejected both the researcher and IPVM’s claim the vulnerabilities amounted to a backdoor.
“First of all, we need to clarify this vulnerability is a code error instead of backdoor. Hikvision guarantees hereby that it never has, does or would intentionally contribute to the placement of ‘backdoors’ in its products,” a member of Hikvision’s Security Response Center told Threatpost late Monday.
Hikvision also directed Threatpost to a letter it sent customers and partners last Thursday notifying them of the March firmware update, 5.4.5. The company also addressed the issue with the configuration file, acknowledging it will enhance its private key decryption storage method in an upcoming release.
“The configuration file is encrypted and is therefore not readable, and protects users’ credentials. Also, the configuration file can only be exported by the admin account. Hikvision appreciates ICS-CERT’s comment, and will enhance the private key decryption storage method in the upcoming firmware release.”
Several years ago, Hikvision, in an effort to better secure its products, contracted the security firm Rapid7 to carry out a penetration test and vulnerability assessment of its IP cameras, embedded recorders, and software tools. That partnership was spurred after Rapid7 identified a series of vulnerabilities, buffer overflows that allowed the remote execution of arbitrary code, in Hikvision DVRs in 2014. It’s unclear how long since the audit the vulnerabilities identified in March have existed in Hikvision cameras.
The Hikvision advisory comes a day after US-CERT warned of a similar set of vulnerabilities in IP cameras and digital video recorders manufactured by another Chinese company, Dahua. The company told customers and partners in early March the vulnerabilities were caused called “a small piece of code.” Bashis, an independent researcher, found the issues, a backdoor that allowed remote unauthorized admin access via the web, and disclosed them via the Full Disclosure mailing list on March 6.
A spokesman from Dahua confirmed the information in US-CERT’s advisory early Monday and said that customers can download updated firmware from the “Device Upgrade Kit” section of the company’s website to mitigate the vulnerabilities.
This article was updated on May 9 to include statements from Hikvision, including a link to the company’s May 4 letter to customers.