Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

watchful_ip said:
Those look to be IPC_R0 and IPC_R6 and you should be fine.
Click to expand...
It appears R6 is vulnerable? From someone who reached out to Hikvision UK:
Hikvision UK said:
Yes, your model is not on the initial list of affected cameras, but in reality, this issue will affect almost all Hikvision cameras as most of them are not running firmware with a build time more recent than 210625 (25th June 2021). If you go back to that vulnerability post you will see that I have updated the fixed firmware table today with more models that were not on the initial list.

Currently, Hikvision has not published a fixed firmware for R6 cameras (2x22FWD, 2x42FWD) like the one you have, but there should be a new version posted in the next couple of days.

I should also point out that we are based in the UK so all the firmware I have linked to in that table is from the UK & EU portals and those versions may not be compatible with US camera models.

If you can't get a response from US Hikvision support then I would just keep monitoring the product page because the fixed firmware should be posted publicly soon.
Click to expand...
 
  • Like
Reactions: mat200, alastairstevenson, sebastiantombs and 1 other person
Only device types I found to be exploitable were in the report.

Though I'm not beyond making a mistake - if you check the github commits you'll see I barely know how to put a page together without loads of errors :p Couldn't even get my email address right.....

I suck

I'm not able to provide more info than is the report though, so if I don't address points here, or reply even in private that's why - no offense is intended to anybody.

An as aside, there's a free cybersecurity course they've put out:

Hikvision Cybersecurity Course

In it Hikvision recommend not to expose IoT devices to the Internet, and to put them on a separate part of the network that's restricted. That's advice I can definitely agree with.
 
Last edited:
  • Like
  • Love
Reactions: iTuneDVR, mat200, alastairstevenson and 1 other person
It seems that the new firmware removes the feature to link the LEDs to motion detection on model 2047G2 and 2087G2 .
Its only available in version 5.5.114

This is ridiculous.

before:
before.png

after update:
after.png
 
user8963 said:
It seems that the new firmware removes the feature to link the LEDs to motion detection on model 2047G2 and 2087G2 .
Its only available in version 5.5.114

This is ridiculous.

before:
View attachment 102631

after update:
View attachment 102632
Click to expand...
This (5.5.114) is regarding that firmware based on G5 (C) models and has the led lights into it ;-) I'm not sure if 5.5.800 (for the remove of the vulnerabilities) for the firmware based on G3 (non-C) models also remove the LED part. That was for sure the case in de (C) model firmware, but i haven't installed this new firmware on my G3 firmware devices.

Then hikvision made it very difficult also to bring out 5.5.800 for the G3 firmware. while they earlier did that numbering only for the G5 firmware (C models).

regarding G5 (C) : 5.5.800 and 5.5.801 removes the led light, and 5.5.114 restores it. The vulnerability is still in the 5.5.114. @watchful_ip
regarding G3 (non-C) 5.5.800 G3 is to remove the vulnerability, the ledlight option has not been removed @ljw2k
 
Last edited:
  • Like
  • Sad
Reactions: ljw2k and user8963
If the build date is before 21 June 2021 when I reported it, then IPC_G3/IPC_G5 is vulnerable.

Though if it's not accessible on the Internet, and no access to your internal network is possible, then you're not really at any significant risk.
 
Last edited:
  • Like
Reactions: fenderman, SouthernYankee and Mtv
watchful_ip said:
Those look to be IPC_R0 and IPC_R6 and you should be fine.

A good rule of thumb, is to check the Hikvision's Global Firmware site, and if there's new firmware for your camera there apply it (assuming it's a non-imported camera).
Click to expand...

I note that HikVision has posted a new firmware for the R0 cameras on the European site, 3 days ago. The previous update was in 2017. I'm wondering if they're not listed as vulnerable because they're considered obsolete products? Or maybe there's a closely-related error they've decided to fix.

It'd be nice to have a testing tool... which I expect can't happen until everyone's had a chance to install new firmware.

EDIT: I've installed that new firmware on both my "International English" R0 cameras, and it appears to be running just fine. (One of them is originally the Chinese version de-bricked and forced to international by a lovely hack from these here forums.) No new features, but then I would assume they only fixed what needed fixing.
 
Last edited:
Thank you both very much, watchful_ip and alastairstevenson.

Does anybody know if DS-7716NXI-I4/S, 1st Generation Acusense NVR is affected?
Hikvision has an update only for 3rd Generation Acusense (C) at latest firmware.
In fact has 2 times DS-7716NXI-I4/S linked to the same firmware update V4.40.815_210709, only for (C).
Nothing at EU portal.

aaaaa.JPG

Also did you notice any malfunction upgrading from 5.5.160_210416 to V5.5.800 build210628 at G3 platform(2XX6G2 no ISU / SL)?
 
The use-ip.co.uk forum has some useful chat on this big vulnerability.
Use-IP have very helpfully started populating a table of models against updated firmware.
Check the posts above this one, also the update Hikvision notifications here :

Firmware - Hikvision declare new vulnerabilities in mass email blast sent Saturday 18th September 2021

Yesterday evening I received an email from Hivision detailing a critical vulnerability in a number of their products and a link to new firmware. The advisory is: Here It appears I have two camera models affected by this, as they match the document, but the link to new firmware produces no...
www.use-ip.co.uk www.use-ip.co.uk
 
  • Like
Reactions: medtech1, watchful_ip, sebastiantombs and 1 other person
Last edited:
  • Like
Reactions: awonson
alastairstevenson said:
All credit to @watchful_ip - all I did was provide the testing ground.
Click to expand...
Way more than that!

@alastairstevenson was a HUGE help. He kept my confidence on this for a long time before this went public, and though there were things I couldn't share even with him, his support was invaluable. A large amount of credit goes to him but he's too modest to accept it and probably would prefer I didn't mention it :)
 
Last edited:
  • Like
  • Haha
  • Love
Reactions: fenderman, SouthernYankee, 14179 and 2 others
Nice job on finding this!

Question, anyway of knowing that a OEM Supplier of HIK USA firmware is patched?

I contacted our reseller we've purchased many CompanyBrand(Hikvision) cameras from but their serials and model numbers are different that ones listed on the CVE. They told me that their OEM line not Hik USA and therefore not compatible with hik firmware or the vulnerability. However they have a hikvision login page when going to the camera. Sooo..... I'd love to see if these rebranded Hikvisions are vulnerable even though they've stated otherwise.
 
  • Like
Reactions: Flintstone61 and watchful_ip
Is there a "Firmware Version Property" field in System Settings | Basic Information ?

If there is it should give an indication as to the type of device firmware it uses.
 
Awesome, now I see how to reference your guide and the correlation on firmware versions, so the IPC_XX or IPD_XX matches the version property listed on the camera settings page?
 
You must log in or register to reply here.
Top Bottom