country Spain - ES
search X

Security Vulnerabilities in Hikvision NVR Devices

Security Vulnerabilities in Hikvision NVR Devices

SN No. HSRC-202404-01

Editar: HSRC (centro de respuesta de seguridad de Hikvision):

Fecha de publicación inicial: 2024-04-02

 

Summary:

1. There is a NULL pointer dereference vulnerability in some Hikvision NVRs. Due to an insufficient validation of a parameter in a message, an attacker may send specially crafted messages to an affected product, causing a process abnormality. 

2.  There is an out-of-bounds read vulnerability in some Hikvision NVRs. An authenticated attacker could exploit this vulnerability by sending specially crafted messages to a vulnerable device, causing a service abnormality.

3. There is a command injection vulnerability in some Hikvision NVRs. This could allow an authenticated user with administrative rights to execute arbitrary commands.

Hikvision recommends users set up complex device passwords to mitigate the possibility of the above vulnerabilities being exploited.

 

CVE ID:

CVE-2024-29947 

CVE-2024-29948

CVE-2024-29949

 

Scoring:

CVSS v3.1 is adopted in scoring these vulnerabilities

(http://www.first.org/cvss/specification-document)

CVE-2024-29947 

Calificación básica: 2.7 (CVSS:3.1/ AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L)

CVE-2024-29948

Calificación básica: 3.8 (CVSS:3.1/ AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L) 

CVE-2024-29949

Calificación básica: 7.2 (CVSS:3.1/ AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

 

Affected Versions and Fixes:

Nombre del producto

Affected by

Versiones afectadas

DS-7604NI-K1 / 4P(B)

 

CVE-2024-29947 &

CVE-2024-29949

 

V4.30.096 build221220 and the versions prior to it

DS-7604NXI-K1/4P

 

CVE-2024-29948

 

V4.76.005 build231012 and the versions prior to it

DS-76xxNI-Mx

DS-77xxNI-Mx

DS-96xxxNI-Mxx

 

DS-76xxNXI-Ix

DS-77xxNXI-Ix

DS-86xxNXI-Ix

DS-96xxNXI-Ix

 

iDS-76xxNXI-Mx

iDS-77xxNXI-Mx

iDS-96xxxMXI-Mxx

 

 

 

 

 

 

 

 

 

CVE-2024-29949

 Versions after V5.00.000 (including V5.00.000) and before V5.02.006(not including V5.02.006)

 

DS-7604NI-M1/4P

 

 Versions after V5.00.000 (including V5.00.000) and before V5.01.070(not including V5.01.070)

 

Obtaining Fixed Versions

Users can download patches/updates on the Hikvision official website

 

Source of vulnerability information

These vulnerabilities were reported to HSRC by Team.ENVY (KITRI BoB 12th).

 

Contáctenos

To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hikvision.com.

Hikvision would like to thank all security researchers for your attention to our products.

 

This Security Notice is released and updated based on Hikvision's current investigation results and is subject to changes. 

Este sitio web utiliza cookies para almacenar información en su dispositivo. Las cookies ayudan a que nuestro sitio web funcione normalmente y nos muestran cómo podemos mejorar su experiencia de usuario.

Al continuar navegando por el sitio, usted acepta nuestra política de cookies y nuestra política de privacidad.

Administrar Rechazar Aceptar
Aceptar
Rechazar Administrar
Ventas
Asistencia técnica
Subscripción de la Newsletter
Online Service
Dónde comprar
Website Feedback
Contáctenos
Hik-Partner Pro close
Hik-Partner Pro
Security Business Assistant. At Your Fingertips. Learn more
Hik-Partner Pro
Scan and download the app
Download
Hik-Partner Pro
Hik-Partner Pro
back to top

Get a better browsing experience

You are using a web browser we don’t support. Please try one of the following options to have a better experience of our web content.