Security vulnerability in some Hikvision DVRs

This will be of interest to Hikvision DVR users:

http://news.softpedia.com/news/Hikvision-DVRs-Have-Security-Glitches-That-Allow-Full-Control-of-the-Device-465620.shtml

After looking at data from their Project Sonar (a community effort for active analysis of public network), security researchers from Rapid7 have found a set of three buffer overflow vulnerabilities (CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880) in the RTSP request handling code from Hikvision.

 

Researchers analyzed products from the DS-7200 family and determined that they can be fully compromised by an attacker leveraging exploits for buffer overflow weaknesses in the RTSP (Real Time Streaming Protocol) body, header and basic authentication handling. This protocol is intended for controlling the streaming media servers between endpoints.

I may be wrong, but I don't have the impression that Hikvision, or Dahua put much of a priority on mitigating known/identified security vulnerabilities (even CVE's which are easy to be alerted to).

I'm still surprised that Dahua (NVR) uses 6 character logins and passwords, regardless of account locking.

Given these systems sit on a watered down version of *nix, its surprising to see they don't have better security (since every unix/linux system pretty well out there there has no problem enforcing 8 char min logins).

That being said, I guess you get what you pay for.

Yeah, I think they should mandate passwords long enough to rule out rainbow tables, at a minimum. Personally, my remote-access solution is a Remote Desktop session over TLS1.2 on an oddball port, with a 100-character password (all hail barcode scanners!). And even that only gets me in as a least-privilege user. The recent WinShock vulnerability shows there's no such thing as invulnerable, but at least I know RDP's underpinnings get patched and are subject to ongoing scrutiny.

For those considering the RDP approach (yes, all three of you ), I could cough up some recommendations on security. Some of them require editing Local Group Policy and Local Security Policy, and therefore only work on Pro/Business/Ultimate/Enterprise variants of Windows since they have a local GPO.

Interesting... Those vulnerabilities are on v2.2.x firmwares, I wonder if they still exist on v3.x firmwares.

I work as a Technician joined a company in May 2014, Just-August 2014 I use do follow what others do in my office and did not care about changing DVR password. more than 65 of our DVR where attacked due to using default password, it was solved by upgrading latest firmware and changing password.

The DVR stops recording, all I/O ports, even mouse doesn't show the light. all i can see is power led.

So from then i always change password, use virtual server or port forwarding instead of DMZ, Change HTTP port, Server port and RTSP port.

The Vulnerability was posted on Nov 19, 2014 but Hikvision posted on their website on November 28, 2014

http://overseas.hikvision.com/en/list_435.html

The Vulnerability was posted on Nov 19, 2014 but Hikvision posted on their website on November 28, 2014

http://overseas.hikvision.com/en/list_435.html

I hope the manufacturers exercise due diligence in getting security vulnerabilities resolved. There is so much hacking that goes on out there.

If one monitors "Krebs on security" website and the regular exploits, you become aware fast that security must always be a focus when you put anything on the net.

Being in IT, any network appliance with a 6 character password would never be approved for implemention which makes me surprised that Dahua doesn't allow better security on their NVRs.