Privilege Escalation in Hikvision IP Cameras; Not All Can Update

Hikvision, a supplier of video surveillance solutions, released a security bulletin for a privilege escalation vulnerability that affects more than 200 of its IP cameras. An attacker could exploit the glitch and get on the device as a user with elevated rights.

This security warning is different from the one published at the beginning of the month. Previously, the company warned of automated online attacks targeting NVRs and DVRs running on firmware pre-dating March 2015 with default port and login information. The company could do nothing but recommend its customers apply newer firmware and use stronger passwords.

In a letter to its customers and partners, Hikvision says the privilege escalation vulnerability affects seven of its IP camera series running specific firmware versions. The company also states the flaw is exploitable under “fairly uncommon circumstances.” It says that, in most set-ups, the devices do not face the Internet directly and are connected to a NVR (network video recorder) or a video management software solution. However, many people today resort to professional surveillance cams and configure them to be accessible over the web.

Rumors started circulating about a backdoor in Hikvison IP cameras some time before the company took action. IPcamtalk forum user montecrypto on March 5 said he had informed the company about the vulnerability and that they had until March 20 to fix the issue and “explain why the backdoor is there,” or details would be published.

In a later post, montecrypto says Hikvision reacted quickly and that their “privilege escalation” label is technically correct, since the vulnerability allows attackers to “remotely escalate their privileges from anonymous web surfer to admin.” Montecrypto warns that applying new firmware does not fix the problem for all users, such as owners of multi-language cameras, who cannot install an update because the language would change to Chinese.

As of the moment it published the security notice, Hikvision had no knowledge of malicious action related to the vulnerability. To eliminate the cybersecurity risk, the Chinese supplier rolled out firmware updates for all IP camera models affected.

Photo credit: Jack Moreh for Freerangestock.

Add Comment

Your email address will not be published. Required fields are marked *