Security Notification – Security Vulnerability in Some Hikvision Hybrid SAN/Cluster Storage Products
SN No. HSRC-202304-01
Edit: Hikvision Security Response Center (HSRC)
Initial Release Date: 2023-04-10
Summary
Some Hikvision Hybrid SAN/Cluster Storage products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices.
Hikvision has released a version to fix the vulnerability.
CVE ID
CVE-2023-28808
Scoring
CVSS v3 is adopted in this vulnerability scoring.
(http://www.first.org/cvss/specification-document)
CVE-2023-28808
Base score: 9.1(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Temporal score: 8.2 (E:P/RL:O/RC:C).
Affected Versions and Fixes
Product Name | Affected Versions | Download the Patch | User Manual |
DS-A71024/48/72R | Versions below V2.3.8-8 (including V2.3.8-8) | Fixing Security Vulnerability of Hybrid SAN-230407.zip | User Guide for Fixing Security Vulnerability of Hybrid SAN_230410 |
DS-A80624S | |||
DS-A81016S | |||
DS-A72024/72R | |||
DS-A80316S | |||
DS-A82024D | |||
DS-A71024/48R-CVS | Versions below V1.1.4 (including V1.1.4) | Fixing Security Vulnerability of Cluster Storage-230407.zip | User Guide for Fixing Security Vulnerability of Cluster_230410 |
Precondition
The attacker has network access to the device.
Attack Step
Send a specially crafted malicious message.
Obtaining Fixed Versions
Users can download patches/updates on the Hikvision official website.
Source of vulnerability information
This vulnerability is reported to HSRC by Souvik Kandar, Arko Dhar of the Redinent Innovations team in India, and we also want to acknowledge the cooperation of the National Computer Emergency Response Team of India (CERT-In) who coordinated with us to handle this vulnerability.
Contact Us
To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hrbaojie.com.
Hikvision would like to thank all security researchers for your attention to our products.
hrbaojie.com uses strictly necessary cookies and related technologies to enable the website to function. With your consent, we would also like to use cookies to observe and analyse traffic levels and other metrics / show you targeted advertising / show you advertising on the basis of your location / tailor our website's content. For more information on cookie practices please refer to our cookie policy.
You are using a web browser we don’t support. Please try one of the following options to have a better experience of our web content.