Products
Smart Hybrid Light
NVR 5.0
2nd Generation Professional Access Control
Commercial Displays
Hik-Partner Pro
Solutions
Retail
Traffic
Perimeter Protection
UK&IE - EN
Commercial Display
X
Products
Smart Hybrid Light
NVR 5.0
2nd Generation Professional Access Control
Commercial Displays
Hik-Partner Pro
Solutions
Retail
Traffic
Perimeter Protection

Security Vulnerability in Some Hikvision Hybrid SAN/Cluster Storage Products

 

    Security Notification – Security Vulnerability in Some Hikvision Hybrid SAN/Cluster Storage Products

    SN No. HSRC-202304-01

    Edit: Hikvision Security Response Center (HSRC)

    Initial Release Date: 2023-04-10

     

    Summary

    Some Hikvision Hybrid SAN/Cluster Storage products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices.

    Hikvision has released a version to fix the vulnerability.

     

    CVE ID

    CVE-2023-28808

     

    Scoring

    CVSS v3 is adopted in this vulnerability scoring. 

    (http://www.first.org/cvss/specification-document)

    CVE-2023-28808

    Base score: 9.1(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

    Temporal score: 8.2 (E:P/RL:O/RC:C).

     

    Affected Versions and Fixes

    Product Name Affected Versions Download the Patch User Manual
    DS-A71024/48/72R  Versions below V2.3.8-8 (including V2.3.8-8) Fixing Security Vulnerability of Hybrid SAN-230407.zip User Guide for Fixing Security Vulnerability of Hybrid SAN_230410
    DS-A80624S
    DS-A81016S
    DS-A72024/72R
    DS-A80316S
    DS-A82024D
    DS-A71024/48R-CVS Versions below V1.1.4 (including V1.1.4) Fixing Security Vulnerability of Cluster Storage-230407.zip User Guide for Fixing Security Vulnerability of Cluster_230410

    Precondition

    The attacker has network access to the device.

     

    Attack Step

    Send a specially crafted malicious message.

     

    Obtaining Fixed Versions

    Users can download patches/updates on the Hikvision official website.

     

    Source of vulnerability information

    This vulnerability is reported to HSRC by Souvik Kandar, Arko Dhar of the Redinent Innovations team in India, and we also want to acknowledge the cooperation of the National Computer Emergency Response Team of India (CERT-In) who coordinated with us to handle this vulnerability.

     

    Contact Us

    To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hikvision.com.

    Hikvision would like to thank all security researchers for your attention to our products.

    Hikvision.com uses strictly necessary cookies and related technologies to enable the website to function. With your consent, we would also like to use cookies to observe and analyse traffic levels and other metrics and tailor our website’s content. For more information on cookie practices please refer to our cookie policy.

    Manage Reject all Accept
    Accept
    Reject all Manage
    Contact Sales
    Technical Support
    Online Service
    Subscribe Newsletter
    Where to Buy
    Website Feedback
    Contact Us
    Hik-Partner Pro close
    Hik-Partner Pro
    Security Business Assistant. At Your Fingertips. Learn more
    Hik-Partner Pro
    Scan and download the app
    Download
    Hik-Partner Pro
    Hik-Partner Pro

    Get a better browsing experience

    You are using a web browser we don’t support. Please try one of the following options to have a better experience of our web content.