Hikvision Remote Code Execution / XSS / SQL Injection

Detailed Information------------------------------------------------------------------------------------------------------------------------------------------------------------------------Product Name: HikvisionVendor Home Page:  https://www.hikvision.comFixed Version: fixed versions were released by HikvisionVulnerability Type: CWE-78,89 and 94CVE Numbers: CVE-2022-28171-CVE-2022-28172Author of Advisory: Thurein Soe------------------------------------------------------------------------------------------------------------------------------------------------------------------------Vendor Description:Hikvision is a world-leading surveillance manufacturer and supplier ofvideo surveillance and Internet of Things (IoT) equipment for civilian andmilitary purposes.------------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability description:Some Hikvision Hybrid SAN Products were vulnerable to multiple remote codeexecution (command injection) vulnerabilities, including Reflected XSS,Ruby code injection, classic and blind SQL injection resulting in remotecode execution that allows an adversary to execute arbitrary operatingsystem commands etc. However, an adversary must be on the same network toleverage this vulnerability to execute arbitrary commands.------------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerable Versions:Ds-a71024 FirmwareDs-a71024 FirmwareDs-a71048r-cvs FirmwareDs-a71048 FirmwareDs-a71072r FirmwareDs-a71072r FirmwareDs-a72024 FirmwareDs-a72024 FirmwareDs-a72048r-cvs FirmwareDs-a72072r FirmwareDs-a80316s FirmwareDs-a80624s FirmwareDs-a81016s FirmwareDs-a82024d FirmwareDs-a71048r-cvsDs-a71024Ds-a71048Ds-a71072rDs-a80624sDs-a82024dDs-a80316sDs-a81016s------------------------------------------------------------------------------------------------------------------------------------------------------------------------Credits:Thurein Soe------------------------------------------------------------------------------------------------------------------------------------------------------------------------References:https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products/https://cve.report/CVE-2022-28171------------------------------------------------------------------------------------------------------------------------------------------------------------------------Timeline:11 March 2022: Found security vulnerabilities in a few Hikvision Hybrid SANProducts23 March 2022: Reported the finding to Hikvision Security Response Center(HSRC) team24 March 2022: Hikvision Security Response Center (HSRC) team requestedfurther details of reproduction steps and remediation25 March 2022: Further details of reproduction and remediation steps sentto the Hikvision Security Response Center (HSRC) team26 March 2022: Hikvision Security Response Center (HSRC) team agreed toissue only two CVEs due to multiple vulnerabilities in a single parameter22 June 2022: Hikvision Release the Initial fixed Version for the affectedproducts in June 2022.------------------------------------------------------------------------------------------------------------------------------------------------------------------------