Hikvision Security Advisory

 

September 22, 2017 Views:89

 

 

Sep 22, 2017

 

 

 

Dear Valued Customers and Partners:

 

Reminder to apply known vulnerability patch

Early in March, Hikvision was made aware of a privilege-escalating vulnerability in certain IP cameras. Firmware update that resolves the issue has been readily available on the Hikvision website since mid-March. Please see the referred vulnerability information and links to updated firmware.

Recently, a few online reports on cyberattacks over part of Hikvision products have been brought to our attention. Regarding this, Hikvision reaffirms that updating all systems to the latest version is an effective way to prevent your equipment from being vulnerable to cyberattacks. We have provided the available solution and we urge all our partners and users to ensure that the firmware update is being applied to all the products in order to reinforce cybersecurity protection of Hikvision systems.

Hikvision takes cybersecurity concerns with the utmost seriousness and takes action everyday to ensure that our products are not only innovative, but they meet the highest standards of cybersecurity best practices.

 

Please check the above link and make sure that all cameras are running on the latest firmware. More information on the vulnerability and our resolution efforts can be found at Hikvision Security Center. Should you wish for assistance or have any other concerns about Hikvision products that you’d like to discuss, please contact Hikvision branch office, representatives or consult us at support@hikvision.com.

 

 

Sincerely

Hikvision Digital Technology Co., Ltd.

 

Update on Privilege Escalating Vulnerability Notice-HQ

 

May 4, 2017 Views:565

 

 

Dear Valued Customers and Partners:

 

Hikvision is honored to work with the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center in our ongoing cybersecurity best practice efforts.

 

We’re pleased to announce that Hikvision’s successful progress on a privilege-escalating vulnerability has been acknowledged by ISC-CERT (Industrial Control Systems Cyber Emergency Response Team). Specifically, ISC-CERT has recognized that on March 13, 2017 Hikvision released the fixed firmware version 5.4.41/5.4.71 to address the user privilege-escalating vulnerability on those particular affected camera models.

 

What do customers need to know about the privilege-escalating vulnerability?  What steps should customers take to enhance the cybersecurity of Hikvision systems?

·Please review the March 13,2017 notice, which outlines potential cybersecurity concerns that could arise with specific cameras under certain, fairly uncommon circumstances.  To date, Hikvision is not aware of any reports of malicious activity associated with this vulnerability. ·Hikvision always recommends a systematic, multi-step approach to enhance cybersecurity protection. To assist customers and partners, Hikvision offers a number of industry-leading cybersecurity resources. Please visit the Hikvision Security Center for more information.

·The Hikvision Network Security Hardening Guide is a new resource for installers.

·Hikvision also encourages customers to utilize ICS-CERT resources, including ISC-CERT Recommended Practices and ISC-CERT Defense in Depth.

 

Did ISC-CERT recommend further enhancements in future firmware upgrades?

·ISC-CERT specifically identified the area of potential concern about the “configuration file”.

 

Under what circumstances is there a concern with the configuration file? How will Hikvision address this concern?

·The configuration file is encrypted and is therefore not readable, and protects users’ credentials. Also, the configuration file can only be exported by the admin account. Hikvision appreciates ICS-CERT’s comment, and will enhance the private key decryption storage method in the upcoming firmware release.

 

Hikvision is proud to be at the forefront of the move to improve cybersecurity best practices in our industry. Cybersecurity must be top-of-mind throughout the product lifecycle, from R&D and manufacturing to installation and maintenance. Hikvision’s in-house cybersecurity experts are dedicated to constantly assessing and improving our products and our processes, and the Hikvision team provides market-leading cybersecurity education and support to our valued customers. We’re also actively engaged with our competitors and partners on collaborative cybersecurity efforts that benefit our entire industry.

 

Interoperability is key to the success of IP video technology. While it’s exciting to watch the ecosystem of video surveillance devices multiply, this also increases our cybersecurity challenges. Establishing interoperability standards for video surveillance should be a top priority and one that everyone in the surveillance industry needs to share.

 

If you have any questions or concerns about Hikvision products, please contact Hikvision branch office, representatives or consult us at overseasbusiness@hikvision.com. For technical concerns, you may contact support@hikvison.com.

 

 

Security Notification Apache Struts2-Global Version

April 10, 2017 Views:558

 

Security Notification–Apache Struts2 Vulnerability Alert in CertainHikvision iVMS Platforms

 

SN No.:HSRC-201703-05

Edit: HikvisionSecurity Responding Center (HSRC)

Initial Release Date:2017-4-6

 

Descriptions:

Apache Struts 2 is one ofpopular development frameworks for Java Web applications. However, recently JakartaMultipart parser, a plug-in of Apache Struts 2, was found to have a vulnerabilityof remote code execution. Attackers may execute malicious remote source code bymodifying the Content-Type in HTTP request when uploading the files by suchplug-in. For more information, please refer to the official website of ApacheStruts2: https://struts.apache.org/docs/s2-045.html

 

Affected Products:

iVMS-5200 Professionalbaseline versions V3.3.4 and before, including Mobile and ANPR sub systems.

Blazer Pro v1.0 baselineversions

 

Solution:

Hikvision has published a hotfixto upgrade Apache Struts 2 to its latest version, Struts 2.3.32 and 2.5.10.1,which Apache Struts had officially released to fix the potential vulnerability.To implement the hotfix:

1.Download the hotfix from Hikvision official website:

l   iVMS-5200 Professional,including Mobile and ANPR sub systems: Click Here

l   Blazer Pro v1.0: Click Here

2.Copy the hotfix 5200P-ST&FJ-201703.exe to the desktop of the computer orthe Blazer Pro where the Central Management Server service of the iVMS softwareis running.

3.         Close the Service Manager by clicking the Exit button at the notificationarea.

4.         Double click the hotfix to run it. The hotfix will check the running environment,stop the services of the iVMS software, replace the affected files and restartthe services. If you see the interface below, it means that the system has beenupgraded successfully and returned to normal status.

5. Restart the Service Manager.

If you have any doubt about the upgrade procedure,please do not hesitate to contact Hikvision local support team or at support@hikvision.com.

 

Contact Us:

Should you have a security problem or concern,please contact Hikvision Security Response Center at hsrc@hikvision.com.

Security Notification: Privilege-Escalating Vulnerability in Certain Hikvision IP Cameras

March 13, 2017 Views:698

 

 

SN No. HSRC-201703-04

Edit: Hikvision Security Response Center (HSRC)

Initial Release Date: 2017-03-10

Update Release Date: 2017-03-12

 

 

Summary

While processing a specified request code, the user privilege-escalating vulnerability may occur for select Hikvision IP cameras with particular firmware version.

This vulnerability was discovered, and until now, has not been designated as Common Vulnerabilities and Exposures(CVE).

 

Impact

By exploiting this vulnerability, attackers could obtain an unauthorized escalated additional user privilege to acquire or tamper with the device information.

 

Affected Software Versions and Fixes

Affected Software Versions and Fixes

Product Name

DS-2CD2xx2F-I Series

DS-2CD2xx0 Series

DS-2CD4x2xFWD Series

DS-2CD4xx5 Series

DS-2CD2xx2FWD Series

DS-2DEx Series

DS-2DFx Series

Affected Versions

Product Name

Product Name

Product Name

Product Name

Product Name

Product Name

Product Name

Resolved Versions

V5.4.41 build 170310 and later

V5.4.41 build 170309 and later

V5.4.41 build 170310 and later

V5.4.41 build 170309 and later

V5.4.41 build 170309 and later

V5.4.71 build 170309 and later

V5.4.71 build 170309 and later

Solution

Update devices with the correct firmware.

 

Contact Us

Should you have a security problem or concern, please contact Hikvision Security Response Center at hsrc@hikvision.com.

Defense Against NVR/DVR Scripted Application

 

March 6, 2017 Views:697

March 2nd, 2017

 

 

Dear Valued Partner,

 

 

Hikvision has determined that there is a scripted application specifically targeting Hikvision NVRs and DVRs that meet the following conditions: they have not been updated to the latest firmware; they are retained as the default port, default user name, and default password.

 

Hikvision has introduced secure Activation Mechanism into all of product lines since March of 2015, it is required to create password when first login. However, it was possible, before that date, to install NVRs and DVRs with default settings. Therefore, we provided updated firmware which includes this mandatory setting for customers to upgrade existing devices.

 

Hikvision strongly recommends that our customer base review the security levels of equipment installed prior to March 2015 to ensure the use of complex passwords and upgraded firmware to best protect their customers.

 

Below are firmware and password guidelines and specific steps to take to secure a system:

 

Password and Firmware Overview

 

•    Leaving factory-default, poorly chosen, or weak passwords in your camera or video recorder may result in unauthorized access or exploitation of your company resources.

 

•    Change every password in every device occasionally. Old passwords can carry additional risk.

 

•    Ensure all systems have the latest firmware.

 

•    All users, including contractors and vendors with access to your company systems, should take appropriate steps to select and secure their passwords and update your firmware on your system.

 

Password and Firmware Steps

 

1.    Make sure to have your device behind a firewall.

 

o    Make sure that your firewall is updated with the latest firmware and that the default password is changed on your router.

o    If you want to have your device work with a Hikvision or third-party online services, make sure to set up port-forwarding on your firewall.

 

2.    Check if your system has the latest firmware. Here is a link to  check if your product needs to be upgraded to the latest firmware.

 

3.    After updating firmware, please restore factory default, and ensure that you have restarted your device.

 

4.    Once the device is restarted, it will ask you to give a more secure password.

o    Go through the process to secure your devices.

 

5.    Now that you have updated your device please make sure to change your password regularly.

Security Notification –HTTP Buffer Overflow Vulnerability in Hikvision NVRs Devices

November 9, 2015 Views:4394

 

 

SN No. HSRC-201510-03

Edit: Hikvision Security Response Center (HSRC)

Initial Release Date:2015-11-09

 

 

 

Summary

While processing the specified HTTP requests after identity authentication (successful login with the correct username and password), buffer overflow vulnerabilities may occur for selected Hikvision NVRs. This may result in potential service interruption for users.

This Vulnerability has been designated as Common Vulnerabilities and Exposures (CVE).

ID No: CVE-2015-4407, CVE-2015-4408 and CVE-2015-4409.

 

Impact

By exploiting these three vulnerabilities, after successfully login to the NVRs with the correct username and password, attackers could be able to plant malicious HTTP scripts to create service interruption.

 

Precondition

NVR devices can be connected after login with correct username and password.

Attack Step

       Attackers may send malicious HTTP scripts to selected NVR devices.

 

Software Versions and Fixes

Obtaining Fixed Firmware

Users should download the updated firmware to guard against these potential vulnerabilities. It is available on the Hikvision official website:(Click Here).

 

Contact Us

For security problems about Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hikvision.com.

Hikvision Updates the Products Firmware with Security Enhancements

March 10, 2015 Views:3843

 

 

March 9, 2015 - Hikvision announces to release the updated version of products firmware gradually in March 2015. With this update, alerts are added to request users to change default password. The update will include the following security enhancements in the IPC version 5.3.0 and DVR/NVR version 3.2.0:

 

  ·If the default password is not changed, a change the password prompt dialogue will show up when the user attempts to log in.

  ·IPC/DVR/NVR will lock the current login IP address after a certain incorrect login attempt.

  ·Telnet access is no longer available.

  ·For IPC, when the user resets the password, a password strength prompt (high, middle, low) will show in the web browser.

 

 

Since March 2014, Hikvision has continuously notified customers to change default password, and has taken the following steps to strengthen the security of the products. End-users may always visit the Security Center on our website for further information and updates.

 

 

Notifications to End-Users, OEMs, Installers and System Integrators

     1.    On December 5th, 2014, Hikvision began to include a warning notice in each product package in order to alert end users to change the default password during installation.

     2.    In September 2014, Hikvision posted a notice about changing the default password in the DDNS.

     3.    In March 2014, Hikvision added a notice to the company website about changing the default password.  It also edited its user manuals by adding a notice to change the default password.

     4.    In March 2014, Hikvision created the Security Center in its website. This center includes best practices for end users; information for OEM customers, installers, contractors and system integrators; and allows security researchers to disclose potential security vulnerabilities to Hikvision.

 

 

Historical Updates of Products Firmware:

1.    IPC updates

     a)    On July 2014, Hikvision released IPC versions 5.2.0, which included the following additional safety measures:

   ·        No plain text is shown when creating a new user account or to change the password, and the username and password cannot be reproduced or copied.

     b)   On December2013, Hikvision released IPC version 5.1.0, which included the following additional safety measures:

   ·        Encrypting login information and all transmitted data.

   ·        Telnet is disabled by default.

 

2.    DVR/NVR updates

Security features for DVR/NVR devices operated under a number of platforms have also been upgraded as follows:

     a)    The following are updates on DS-7100/7200/7300/8100 series DVR:

   ·        Version3.0.0 released in February 2014, telnet access was disabled by default. (For DS-7100 series DVR, the firmware version is 2.2.13.)

   ·        Version3.1.3 released in December 2014, there is a prompt dialog box for changing the password if the default password is not changed; while login the DVR on local menu, the login account will be locked for some time after several incorrect login attempts. (For DS-7100 series DVR, this firmware version is 2.2.15.)

 

     b)   The following are updates on Netra DS-9100/9000/9500/9600/8000/8100/8500/8600/7600/7700 series DVR/NVR:

   ·        Version3.1.0 released in January 2014, telnet access was disabled by default.

 

Hikvision is dedicated to providing top quality video surveillance products and solutions to customers worldwide. We appreciate continued support from our valued customers and partners.

 

HANGZHOU HIKVISION DIGITAL TECHNOLOGY CO., LTD.

March 2015

Security Notification –Buffer Overflow Vulnerability in Hikvision DVRs Devices

November 28, 2014 Views:2753

 

 

SN No.:HSRC-201411-02

 

Initial Release Date:2014-11-28

 

Update Release Date:2014-12-06

 

Summary

While processing specified RTSP requests, buffer overflow vulnerabilities may occurs for select Hikvision DVRs, which may result in potential service interruption for users.

 

These issues have been assigned Common Vulnerabilities and Exposures (CVE) ID:

 

CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880.

 

Software Versions and Fixes

Impact

By exploiting these three vulnerabilities, attackers are able to plant scripts into the file system to creat service interruptions.

 

Technical Details

Precondition

DVR devices need to be connected to a network with external access.

 

Attack Step

Attacker sends malicious scripts to DVR devices.

 

Obtaining Fixed Software

Users may download updated firmware on the Hikvision official website:(Click Here).

 

Contacts Method

For security problems with Hikvision products and solutions, please contact : hsrc@hikvision.com.

Announcement of network device utilization

March 11, 2014 Views:2294

 

Dear Customers :

With the popularity of network video surveillance, more and more networking products are used in public networks, such as Network Video Recorders, Network Cameras, and Routers. But the public network environment is more vulnerable than internal network. You devices might be attacked by various viruses, like malicious network scanning if the devices are used in public networks without any modification of their default passwords.

We get to know some of our customers do not change the default passwords, which might cause heavy damages and losses.

Therefore, we hereby strongly recommend you to change the default passwords of the networking devices before using in public network.

We appreciate for your continuous supports to HIKVISION.

HIKVISION Digital Technology Co., Ltd.

March, 2014

Hikvision Security Flaws Handling Procedure

 

March 11, 2014 Views:3298

 

SN No. : HSRC-201403-01

 

Published by : Hikvision Security Response Center

 

Published at : 2014-03-11

 

Content :

1. Hikvision attaches great importance on information security of its products and solution. We promise that for every problem reported, there is a specially assigned person to follow up, analyze and give feedback in time.

2. Hikvision supports responsible flaw disclosure and handling. We promise that to protect the interests of our customers, those who help us to improve the information security will be appreciated and rewarded.

3. Hikvision objects and condemns all actions that exploit the security flaw to damage the customer interests, including but not limited to the stolen of user private information or virtual property, unauthorized system access and system data getting, and malicious spreading the security flaw and data..

4. Hikvision believes that the processing of each security flaw and the progress of the whole security industry must be joint efforts of every party. Hikvision hopes that we can strengthen the cooperation with other enterprises in the industry, the security company and security researcher to maintain the information security of the surveillance industry.

Thank you for your concerns on Hikvision and our products.

 

Al-Nozha st, building 13 , across from Al-Gamaa Al-Omalyaa , 9th floor

 

01021916393 - 01021915750

0554368112

Info@tecroot.comMuhammad@tecroot.com

WEBSITE DESIGNED BY - Rival Studios

Al-Nozha st, building 13 , across from Al-Gamaa Al-Omalyaa , 9th floor

 

01021916393 - 01021915750

0554368112

Info@tecroot.comMuhammad@tecroot.com

Site menu