Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Multiple Vulnerabilities Found in Hikvision DVR Devices

New research from Rapid7 has uncovered multiple vulnerabilities in the Hikvision DVR (Digital Video Recorder) devices.

Researchers discovered three buffer overflow vulnerabilities in Hikvision’s RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. All three flaws can be exploited remotely without authentication to execute arbitrary code.

New research from Rapid7 has uncovered multiple vulnerabilities in the Hikvision DVR (Digital Video Recorder) devices.

Researchers discovered three buffer overflow vulnerabilities in Hikvision’s RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. All three flaws can be exploited remotely without authentication to execute arbitrary code.

“The problem with [the Internet of Things] is that there is an overwhelming flood of new devices and vendors that, in a lot of cases, make the same mistakes that the PC world suffered from 20 years ago,” Mark Schloesser, security researcher at Rapid7, told SecurityWeek. “The simplicity of compromising a lot of embedded devices leads to an equivalent flood of exploits and thus hacked devices.”

In CVE-2014-4878, the RTSP request handler uses a fixed size buffer of 2048 bytes for consuming the HTTP request body, which leads to a buffer overflow condition when sending a larger body. CVE-2014-4879 involves the RTSP request handler using fixed size buffers when parsing the HTTP headers, causing a buffer overflow condition when sending a large header key. The final vulnerability is caused when a RTSP request triggers a buffer overflow condition when handling the “Basic Auth” header of a RTSP transaction.

The device that was tested was a Hikvision-DS-7204-HVI-SV digital video recorder device with firmware V2.2.10 build 131009 (Oct 2013). Other devices in the same model range are affected as well, Schloesser explained in a blog post.

“Hikvision provided no response to these issues after several attempts to contact them,” he blogged. “In order to mitigate these exposures, until a patch is released, Hikvision DVR devices and similar products should not be exposed to internet without the usual additional protective measures, such as an authenticated proxy, VPN-only access, et cetera.”

After starting Project Sonar in 2013, Rapid7 Labs began investigating several protocols, services and devices popular on the Internet in an attempt to raise awareness of misconfigurations and vulnerabilities. This includes digital video recorders and network video recorders used to record surveillance footage of office buildings and surrounding areas.

“Sieving through our Sonar datasets, several vendors and families of these devices turned up, but the Hikvision models in particular are very popular and widespread across the public IPv4 address space with around 150,000 devices remotely accessible,” he blogged. “Speculating about reasons for this popularity, one could argue that the iPhone app which can view the surveillance streams remotely, is very appealing to a lot of customers.”

Advertisement. Scroll to continue reading.

In an email to SecurityWeek, Schloesser noted that there was no re-use of existing libraries or components that could easily have avoided the found bugs. 

“We see a lot of custom code or dangerous combinations of components in embedded devices,” he told SecurityWeek. “Also the weak default credentials are a problem as a lot of customers don’t change them. From my point of view a manufacturer like Hikvision needs to have their contractors and programmers consult with at least one security focused person when developing and bundling their device firmware.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.