Security Notification - Command Injection Vulnerability in Some Hikvision products
SN No.: HSRC-202109-01
Edit: Hikvision Security Response Center (HSRC)
Initial release date: 2021-09-19
Summary:
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
CVE ID:
CVE-2021-36260
Scoring:
CVSS v3 is adopted in this vulnerability scoring(http://www.first.org/cvss/specification-document)
Base score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Temporal score: 8.8 (E:P/RL:O/RC:C)
Affected versions and resolved version:
Your device firmware is affected by this security vulnerability (CVE-2021-36260) if its version dated earlier than 210628. Please install the updates immediately. Information of affected versions and resolved versions:
Product name |
Affected version(s) |
DS-2CVxxx1 |
Versions which Build time before 210625 |
IPC-xxxx |
|
DS-2CD1xx1 |
|
DS-2CD1x23G0 DS-2CD1x23G0E(C) |
|
DS-2CD1xx7G0 |
|
DS-2CD2xx6G2 DS-2CD2xx6G2(C) DS-2CD2xx7G2 DS-2CD2xx7G2(C) |
|
DS-2CD2x21G0 DS-2CD2x21G0(C) DS-2CD2x21G1 DS-2CD2x21G1(C) |
|
DS-2CD2xx3G2 |
|
DS-2CD3xx6G2 DS-2CD3xx6G2(C) |
|
DS-2CD3xx7G0E |
|
DS-2CD3x21G0 DS-2CD3x21G0(C) |
|
DS-2CD3xx3G2 |
|
DS-2CD4xx0 |
|
DS-2XE62x2F(D) |
|
DS-2CD8Cx6G0 |
|
(i)DS-2DExxxx |
|
(i)DS-2PTxxxx |
|
(i)DS-2SE7xxxx |
|
DS-2DYHxxxx |
|
DS-DY9xxxx |
|
PTZ-Nxxxx |
|
DS-2DF5xxxx |
|
iDS-2PT9xxxx |
|
iDS-2SK7xxxx |
|
iDS-2SR8xxxx |
|
iDS-2VSxxxx |
|
DS-2TBxxx |
Versions which Build time before 210702 |
DS-2TD1xxx-xx |
|
DS-2TD41xx-xx/Wx |
|
DS-76xxNI-K1xx(C) |
V4.30.210 Build201224 - V4.31.000 Build210511 |
DS-71xxNI-Q1xx(C) |
V4.30.300 Build210221 - V4.31.100 Build210511 |
Precondition:
The attacker has access to the device network or the device has direct interface with the internet
Attack step:
Send a specially crafted message.
Obtaining fixed firmware:
Users should download the updated firmware to guard against this potential vulnerability. It is available on the Hikvision official website: Firmware download. Users can also use the Search Tool for Important Firmware Update to quickly detect critical vulnerabilities and download corresponding firmware.
Source of vulnerability information:
This vulnerability is reported to HSRC by UK security researcher Watchful IP.
Contact Us:
Should you have a security problem or concern, please contact Hikvision Security Response Center at hsrc@hikvision.com.
2021-09-19 V1.0 INITIAL
2021-09-23 V1.1 UPDATED: Updated Affected Versions
2021-09-24 V1.2 UPDATED: Updated Affected Versions
2021-11-08 V1.3 UPDATED: Updated Affected Versions
2021-12-31 V1.4 UPDATED: Updated Affected Versions
Download
Hikvision.com uses strictly necessary cookies and related technologies to enable the website to function. With your consent, we would also like to use cookies to observe and analyse traffic levels and other metrics / show you targeted advertising / show you advertising on the basis of your location / tailor our website's content. For more information on cookie practices please refer to our cookie policy.
