14 DAY TRIAL // Several digital video recording products from Hikvision have been found vulnerable to security flaws that would allow an attacker to take full control of the device.
This type of equipment is used for surveillance purposes in office buildings and their surrounding areas, and in some cases, they are even monitoring private properties. They can be accessed and handled remotely via a web application that is also available for mobile devices.
Multiple products are affected
After looking at data from their Project Sonar (a community effort for active analysis of public network), security researchers from Rapid7 have found a set of three buffer overflow vulnerabilities (CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880) in the RTSP request handling code from Hikvision.
Researchers analyzed products from the DS-7200 family and determined that they can be fully compromised by an attacker leveraging exploits for buffer overflow weaknesses in the RTSP (Real Time Streaming Protocol) body, header and basic authentication handling. This protocol is intended for controlling the streaming media servers between endpoints.
Technical details of these flaws have been published by Mark Schloesser from Rapid7 in a recent blog post.
According to the researchers, there are about 150,000 such devices present in the IPv4 address space that can be controlled from afar. In some cases, the equipment is protected by the default pair of credentials (admin:12345) defined by the manufacturer.
Exploiting the RTSP basic authentication glitch does not require the attacker to log in, and a Metasploit module was already published on Wednesday.
Vendor was notified but did not respond
Schloesser says that the analyzed firmware version is 2.2.10 build 131009, which was released in October 2013, and that multiple devices are vulnerable.
It appears that Hikvision has been contacted by the security researchers about this matter, but no answer was returned. Until fixes are released, users are required to resort to regular supplementary measures, like authenticated proxy or access through VPN only. It goes without saying that the default username and password need to be changed as soon as possible.
As per the timeline provided by Rapid7 for the disclosure of the vulnerabilities, Hikvision was contacted on September 15, 2014. In early October, the researchers made the issues known to CERT Coordination Center (CERT/CC), and a few days later, CVE (Common Vulnerabilities and Exposures) identifiers were assigned.
Rapid7 warns that researchers from SANS Institute found this year a botnet formed in large part by DVRs and routers, controlled for bitcoin mining. They said that default credentials were tried for the compromise.
