New research from Rapid7 has uncovered multiple vulnerabilities in the Hikvision DVR (Digital Video Recorder) devices.
Researchers discovered three buffer overflow vulnerabilities in Hikvision’s RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. All three flaws can be exploited remotely without authentication to execute arbitrary code.
“The problem with [the Internet of Things] is that there is an overwhelming flood of new devices and vendors that, in a lot of cases, make the same mistakes that the PC world suffered from 20 years ago,” Mark Schloesser, security researcher at Rapid7, told SecurityWeek. “The simplicity of compromising a lot of embedded devices leads to an equivalent flood of exploits and thus hacked devices.”
In CVE-2014-4878, the RTSP request handler uses a fixed size buffer of 2048 bytes for consuming the HTTP request body, which leads to a buffer overflow condition when sending a larger body. CVE-2014-4879 involves the RTSP request handler using fixed size buffers when parsing the HTTP headers, causing a buffer overflow condition when sending a large header key. The final vulnerability is caused when a RTSP request triggers a buffer overflow condition when handling the “Basic Auth” header of a RTSP transaction.
The device that was tested was a Hikvision-DS-7204-HVI-SV digital video recorder device with firmware V2.2.10 build 131009 (Oct 2013). Other devices in the same model range are affected as well, Schloesser explained in a blog post.
“Hikvision provided no response to these issues after several attempts to contact them,” he blogged. “In order to mitigate these exposures, until a patch is released, Hikvision DVR devices and similar products should not be exposed to internet without the usual additional protective measures, such as an authenticated proxy, VPN-only access, et cetera.”
After starting Project Sonar in 2013, Rapid7 Labs began investigating several protocols, services and devices popular on the Internet in an attempt to raise awareness of misconfigurations and vulnerabilities. This includes digital video recorders and network video recorders used to record surveillance footage of office buildings and surrounding areas.
“Sieving through our Sonar datasets, several vendors and families of these devices turned up, but the Hikvision models in particular are very popular and widespread across the public IPv4 address space with around 150,000 devices remotely accessible,” he blogged. “Speculating about reasons for this popularity, one could argue that the iPhone app which can view the surveillance streams remotely, is very appealing to a lot of customers.”
In an email to SecurityWeek, Schloesser noted that there was no re-use of existing libraries or components that could easily have avoided the found bugs.
“We see a lot of custom code or dangerous combinations of components in embedded devices,” he told SecurityWeek. “Also the weak default credentials are a problem as a lot of customers don’t change them. From my point of view a manufacturer like Hikvision needs to have their contractors and programmers consult with at least one security focused person when developing and bundling their device firmware.”