FAQs: Command Injection Vulnerability

FAQs: Command Injection Vulnerability

 

Q: What is the Command Injection Vulnerability?

A: As stated in Hikvision official HSRC-202109-01 Security Notification, a Command Injection Vulnerability was found in the web server of some Hikvision products. Due to an insufficient input validation, an attacker could potentially exploit the vulnerability to launch a command injection attack by sending a specially crafted message with malicious commands.

 

Q: Where can I get more information?

A: • Hikvision Security Notification. The company has released Security Notification on the company’s website on September 18th and posted on social media accounts on September 19th. 

Security Researcher Disclosure Report 

 

Q: Is this a Chinese government back door?

A: No. Hikvision does not have government backdoors in our products. Watchful_IP, the security researcher who responsibly reported this vulnerability to Hikvision, stated,  “No, definitely NOT. You wouldn’t do it like this. And not all firmware types are affected.”

 

Q: What has Hikvision done to deal with the vulnerability?

A: Hikvision follows responsible disclosure principles and the standard Coordinated Vulnerability Disclosure Process that is widely accepted in global industries and pertains to the mechanisms by which vulnerabilities are shared and disclosed in a controlled way to best protects the owners and end users of software. 

On June 23, 2021, Hikvision was contacted by a security researcher, named Watchful IP, who reported a potential vulnerability in a Hikvision camera. Once we confirmed receipt of this report, Hikvision worked directly with the researcher to patch and verify the successful mitigation of the reported vulnerability.

As the researcher noted in his disclosure report that he was “pleased to note this problem was fixed in the way recommended.”

After the company and the researcher both ensured that the vulnerability had properly patched by the updated firmware, we released the Security Notification on the company’s website and social media on September 19th.

 

Q: What’s the company’s recommendation regarding ‘port forwarding’?

A: An industry blog included the misleading information regarding the company’s recommendation on ‘port forwarding’ in its recent post. Please note, according to the company’s guideline “