Security Vulnerability in Some Hikvision Hybrid SAN/Cluster Storage Products

Security Notification – Security Vulnerability in Some Hikvision Hybrid SAN/Cluster Storage Products

SN No. HSRC-202304-01

Edit: Hikvision Security Response Center (HSRC)

Initial Release Date: 2023-04-10

 

Summary

Some Hikvision Hybrid SAN/Cluster Storage products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices.

Hikvision has released a version to fix the vulnerability.

 

CVE ID

CVE-2023-28808

 

Scoring

CVSS v3 is adopted in this vulnerability scoring. 

(http://www.first.org/cvss/specification-document)

CVE-2023-28808

Base score: 9.1(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Temporal score: 8.2 (E:P/RL:O/RC:C).

 

Affected Versions and Fixes

Product Name Affected Versions Download the Patch User Manual
DS-A71024/48/72R  Versions below V2.3.8-8 (including V2.3.8-8) Fixing Security Vulnerability of Hybrid SAN-230407.zip User Guide for Fixing Security Vulnerability of Hybrid SAN_230410
DS-A80624S
DS-A81016S
DS-A72024/72R
DS-A80316S
DS-A82024D
DS-A71024/48R-CVS Versions below V1.1.4 (including V1.1.4) Fixing Security Vulnerability of Cluster Storage-230407.zip User Guide for Fixing Security Vulnerability of Cluster_230410

Precondition

The attacker has network access to the device.

 

Attack Step

Send a specially crafted malicious message.

 

Obtaining Fixed Versions

Users can download patches/updates on the Hikvision official website.

 

Source of vulnerability information

This vulnerability is reported to HSRC by Souvik Kandar, Arko Dhar of the Redinent Innovations team in India, and we also want to acknowledge the cooperation of the National Computer Emergency Response Team of India (CERT-In) who coordinated with us to handle this vulnerability.

 

Contact Us

To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hikvision.com.

Hikvision would like to thank all security researchers for your attention to our products.

Hikvision.com uses strictly necessary cookies and related technologies to enable the website to function. With your consent, we would also like to use cookies to observe and analyse traffic levels and other metrics / show you targeted advertising / show you advertising on the basis of your location / tailor our website's content. For more information on cookie practices please refer to our cookie policy.

 

Contact Us

Get a better browsing experience

You are using a web browser we don’t support. Please try one of the following options to have a better experience of our web content.