Q: What is the Command Injection Vulnerability?
A: As stated in Hikvision official HSRC-202109-01 Security Notification, a Command Injection Vulnerability was found in the web server of some Hikvision products. Due to an insufficient input validation, an attacker could potentially exploit the vulnerability to launch a command injection attack by sending a specially crafted message with malicious commands.
Q: Where can I get more information?
A: • Hikvision Security Notification. The company has released Security Notification on the company’s website on September 18th and posted on social media accounts on September 19th.
• Security Researcher Disclosure Report
Q: Is this a Chinese government back door?
A: No. Hikvision does not have government backdoors in our products. Watchful_IP, the security researcher who responsibly reported this vulnerability to Hikvision, stated, “No, definitely NOT. You wouldn’t do it like this. And not all firmware types are affected.”
Q: What has Hikvision done to deal with the vulnerability?
A: Hikvision follows responsible disclosure principles and the standard Coordinated Vulnerability Disclosure Process that is widely accepted in global industries and pertains to the mechanisms by which vulnerabilities are shared and disclosed in a controlled way to best protects the owners and end users of software.
On June 23, 2021, Hikvision was contacted by a security researcher, named Watchful IP, who reported a potential vulnerability in a Hikvision camera. Once we confirmed receipt of this report, Hikvision worked directly with the researcher to patch and verify the successful mitigation of the reported vulnerability.
As the researcher noted in his disclosure report that he was “pleased to note this problem was fixed in the way recommended.”
After the company and the researcher both ensured that the vulnerability had properly patched by the updated firmware, we released the Security Notification on the company’s website and social media on September 19th.
Q: What’s the company’s recommendation regarding ‘port forwarding’?
A: An industry blog included the misleading information regarding the company’s recommendation on ‘port forwarding’ in its recent post. Please note, according to the company’s guideline “About Port Forwarding”, Hikvision cautions its end users against port forwarding, and advises that “port forwarding should only be configured when absolutely necessary.”
Where end users affirmatively choose to configure port forwarding for devices that need to be accessed via the Internet, Hikvision supports the following cybersecurity best practices: (1) “minimize the port numbers exposed to the Internet,” (2) “avoid common ports and reconfigure them to customized ports”; and “enable IP filtering.”, (3) Set a strong password, and (4) upgrade to the latest device firmware released by Hikvision in a timely manner.
Q: How to evaluate the risks of my Hikvision devices?
A: To exploit this vulnerability, an attacker must be on the same network as the vulnerable device. In other words, if the attacker is able to view the log in screen of a vulnerable device, they could attack it. If they cannot get to the login screen of a vulnerable device, they are not able to exploit the vulnerability.
To evaluate the risk level of a vulnerable device, check if the affected model exposes its http/https servers (typically 80/443) directly to the Internet (WAN), which would give a potential attacker the ability to attack that device from the Internet. Below are some examples:
① LAN network without Internet access (low risk)
A potential attacker cannot access the device’s web server from the Internet so the risk is low (attacker must have LAN access to exploit this vulnerability, that’s what we mean with low risk)