Headline
Hikvision Remote Code Execution / XSS / SQL Injection
Some Hikvision Hybrid SAN products were vulnerable to multiple remote code execution (command injection) vulnerabilities, including reflected cross site scripting, Ruby code injection, classic and blind SQL injection resulting in remote code execution that allows an adversary to execute arbitrary operating system commands and more. However, an adversary must be on the same network to leverage this vulnerability to execute arbitrary commands.
Detailed Information------------------------------------------------------------------------------------------------------------------------------------------------------------------------Product Name: HikvisionVendor Home Page: https://www.hikvision.comFixed Version: fixed versions were released by HikvisionVulnerability Type: CWE-78,89 and 94CVE Numbers: CVE-2022-28171-CVE-2022-28172Author of Advisory: Thurein Soe------------------------------------------------------------------------------------------------------------------------------------------------------------------------Vendor Description:Hikvision is a world-leading surveillance manufacturer and supplier ofvideo surveillance and Internet of Things (IoT) equipment for civilian andmilitary purposes.------------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability description:Some Hikvision Hybrid SAN Products were vulnerable to multiple remote codeexecution (command injection) vulnerabilities, including Reflected XSS,Ruby code injection, classic and blind SQL injection resulting in remotecode execution that allows an adversary to execute arbitrary operatingsystem commands etc. However, an adversary must be on the same network toleverage this vulnerability to execute arbitrary commands.------------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerable Versions:Ds-a71024 FirmwareDs-a71024 FirmwareDs-a71048r-cvs FirmwareDs-a71048 FirmwareDs-a71072r FirmwareDs-a71072r FirmwareDs-a72024 FirmwareDs-a72024 FirmwareDs-a72048r-cvs FirmwareDs-a72072r FirmwareDs-a80316s FirmwareDs-a80624s FirmwareDs-a81016s FirmwareDs-a82024d FirmwareDs-a71048r-cvsDs-a71024Ds-a71048Ds-a71072rDs-a80624sDs-a82024dDs-a80316sDs-a81016s------------------------------------------------------------------------------------------------------------------------------------------------------------------------Credits:Thurein Soe------------------------------------------------------------------------------------------------------------------------------------------------------------------------References:https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products/https://cve.report/CVE-2022-28171------------------------------------------------------------------------------------------------------------------------------------------------------------------------Timeline:11 March 2022: Found security vulnerabilities in a few Hikvision Hybrid SANProducts23 March 2022: Reported the finding to Hikvision Security Response Center(HSRC) team24 March 2022: Hikvision Security Response Center (HSRC) team requestedfurther details of reproduction steps and remediation25 March 2022: Further details of reproduction and remediation steps sentto the Hikvision Security Response Center (HSRC) team26 March 2022: Hikvision Security Response Center (HSRC) team agreed toissue only two CVEs due to multiple vulnerabilities in a single parameter22 June 2022: Hikvision Release the Initial fixed Version for the affectedproducts in June 2022.------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Related news
Hikvision Hybrid SAN Ds-a71024 firmware suffers from a remote blind SQL injection vulnerability.
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.