{"id":7248,"date":"2022-08-23T08:16:17","date_gmt":"2022-08-23T08:16:17","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7248"},"modified":"2023-04-20T02:23:21","modified_gmt":"2023-04-20T09:23:21","slug":"security-management-cve-2021-36260-patch-this-hikvision-vulnerability","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/security-management-cve-2021-36260-patch-this-hikvision-vulnerability\/","title":{"rendered":"Security Management: CVE-2021-36260, Patch this Hikvision Vulnerability."},"content":{"rendered":"<p dir=\"ltr\"><strong>More than 3.2 million Hikvision security camera systems remain vulnerable to a critical vulnerability, CVE-2021-36260, which allows hackers to take control of devices remotely, without any user interaction.<\/strong><\/p>\n<p dir=\"ltr\">The video surveillance giant Hikvision disclosed a zero-click vulnerability tracked as CVE-2021-36260, which has existed from at least 2016, according to researchers. The vulnerability that exists in Hikvision camera models is highly susceptible to remote hijacking without requiring a username or password.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">This critical vulnerability carries a CVSS v3 score of 9.8 and allows hackers to bypass the protected shell, limiting the use of the system by their owners to a specific scope of commands. Therefore, CSW experts urge users to address this severe vulnerability on high priority before malicious actors launch attacks against organizations.<\/p>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\">Recent Updates:<\/h2>\n<p dir=\"ltr\"><strong>{Updated on Aug 23, 2022}:<\/strong> Despite a patch being made available in September 2021, CVE-2021-36260 has been trending heavily since October 2021. With the exploit codes being available in public domain, CISA considered this vulnerability dangerous and added it to the KEV catalog in January 2022. According to a latest report, over 80,000 instances of Hikvision cameras with the vulnerability are <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/over-80-000-exploitable-hikvision-cameras-exposed-online\/\">ripe for exploitation<\/a> even today prompting us to ask the following question &#8211;<\/p>\n<p style=\"text-align: center;\"><strong>Why are enterprises not prioritizing this dangerous vulnerability?\u00a0<\/strong><\/p>\n<blockquote>\n<p dir=\"ltr\">\u201cHackers can exploit the Hikvision vulnerability to gain complete control over camera footage. Further, they can obtain credentials of users of the compromised cameras and use them to penetrate deeper into connected networks.\u201d<\/p>\n<p>Pentester\u2019s Perspective<\/p><\/blockquote>\n<p><strong>{Updated on Dec 10, 2021}:<\/strong> A Mirai-based botnet known as &#8216;Moobot&#8217; is growing rapidly by exploiting a serious command injection issue in web servers of several Hikvision devices. According to Fortinet, \u2018Moobot\u2019 is using CVE-2021-36260 to infect unpatched devices and steal sensitive data from victims.<\/p>\n<p dir=\"ltr\">We recommend users to fix this serious vulnerability before criminal threat actors initiate attacks against organizations.<\/p>\n<h2 dir=\"ltr\"><strong>CVE Findings<\/strong><\/h2>\n<p>&nbsp;<\/p>\n<p><strong>CVE-2021-36260<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2021-36260 is a remotely exploitable command injection vulnerability in some Internet of Things (IoT) cameras produced by Chinese Hikvision that use a web server service.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Researchers <a href=\"https:\/\/watchfulip.github.io\/2021\/09\/18\/Hikvision-IP-Camera-Unauthenticated-RCE.html#affected-firmware-types\">pointed out<\/a> that the attacker just requires access to the http(s) server port (usually 80 and 443), making it simple to exploit the flaw.<\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><strong>A Critical Vulnerability, Why?<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CISA issued an <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/09\/28\/rce-vulnerability-hikvision-cameras-cve-2021-36260\">alert<\/a> that urges users to patch this critical vulnerability.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Classified under the weakness enumeration, CWE-20 (Improper Input Validation), with a CVSS v3 score of 9.8.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CWE-20 holds third place in MITRE\u2019s <a href=\"https:\/\/cwe.mitre.org\/top25\/archive\/2021\/2021_cwe_top25.html\">2021 CWE Top 25 Most Dangerous Software Weaknesses<\/a>.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Hikvision <a href=\"https:\/\/watchfulip.github.io\/2021\/09\/18\/Hikvision-IP-Camera-Unauthenticated-RCE.html#affected-firmware-types\">published<\/a> several screenshots of the Proof of Concept from an attacker\u2019s perspective.<\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<blockquote>\n<p dir=\"ltr\">\u201cCWE -20 could affect the control flow or data flow of a program. When software fails to properly validate input, an attacker can design it in a way which is not intended by the rest of the application.\u201d<\/p>\n<\/blockquote>\n<p dir=\"ltr\">This is a reminder of how important it is to patch security vulnerabilities, and to make sure the network is protected with an up-to-date security stack.<\/p>\n<p dir=\"ltr\"><strong>Data of Interest<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Interestingly, 40% of the global surveillance camera market is owned by Hikvision, which includes a huge affected list.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The company provides surveillance products to the global market via more than 2,400 partners in 155 countries and regions.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Most concerning is that none of the popular scanners such as Qualys, Nessus and Nexpose were not able to detect this vulnerability that put unpatched cameras at danger.<\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\"><strong>Affected Products<\/strong><\/h2>\n<p dir=\"ltr\">The following is the list of affected products that are at risk.<\/p>\n<p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shriQ94DBNPPzc0Hy?backgroundColor=blue&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/p>\n<h2 dir=\"ltr\"><\/h2>\n<h2 dir=\"ltr\"><strong>Global Exposure<\/strong><\/h2>\n<p dir=\"ltr\">The Shodan analysis clearly demonstrates that a number of old firmware still remain vulnerable and are accessible on the Internet.<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2021-36260 has around 3.2 million installations, with the majority of them in the United States and Vietnam.<\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 200px; height: 310px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/global-exposure-hikvison.png\" alt=\"\" \/><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">It\u2019s not surprising that the list of affected is so long; 1.7 million instances of port 80 are prone to be exploited by attackers.<\/p>\n<\/li>\n<\/ul>\n<p style=\"text-align: center;\"><img decoding=\"async\" style=\"width: 300px; height: 200px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/ports-hikvision.png\" alt=\"\" \/><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">This vulnerability is found trending in China, based on Google search results. Could this be an indication that threat actors in China are exploiting this vulnerability or users remediating it?<\/p>\n<\/li>\n<\/ul>\n<p><b id=\"docs-internal-guid-e230a8ab-7fff-3974-1961-837d41f192bb\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/wqoTFQYk59xvdVRPYTBdjusfaivpxX-El9m99kgq-4Vd_vchTZpavBKKTiBi-fqP7yGbvNXNr7XAmhUNPJjdCwXFrOr0mJF1n7NxOkOAWQHcKjTyKo_P318swBgMhI6Zqob8R1L4EBTmBCOLZcum9A\" width=\"642\" height=\"160\" \/><\/b><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><a href=\"https:\/\/trends.google.com\/trends\/explore?date=now%207-d&amp;q=CVE-2021-36260\">Trending Regions<\/a><\/p>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\"><strong>Stave off an attack. Patch Immediately.<\/strong><\/h2>\n<p>Hikvision described this vulnerability as \u201ca highly critical vulnerability\u201d because an attacker can completely take over an internet-connected camera, and potentially other internal networks, thereby posing a high risk to security management.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\">On September 18, 2021, Hikvision Security Response Center provided a <a href=\"https:\/\/watchfulip.github.io\/2021\/09\/18\/Hikvision-IP-Camera-Unauthenticated-RCE.html#proof-of-concept-poc-example\">patch<\/a> to all vulnerable firmware. In addition to live testing, the code has been decrypted, reversed and confirmed if the deployed patch fixes the issue. Therefore, we recommend organizational security management teams to patch this vulnerability and remain ahead of ever-hungry attackers.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>CSW can help organizations stay ahead of threats and prevent falling victim to attacks. <a href=\"https:\/\/cybersecurityworks.com\/get-quote.php\">Connect with us to know how<\/a>.\u00a0<\/strong><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The video surveillance giant Hikvision disclosed a zero-click vulnerability in Hikvision camera models that is highly susceptible to remote hijacking without requiring a username or password.\u00a0<\/p>\n","protected":false},"author":7,"featured_media":14331,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,123,135],"tags":[89,99,163,162,139],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7248"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7248"}],"version-history":[{"count":6,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7248\/revisions"}],"predecessor-version":[{"id":17886,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7248\/revisions\/17886"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/14331"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}