1. 918博天堂·(中国区)首页

    Security Vulnerability in Some Hikvision Products

    Security Vulnerability in Some Hikvision Products

    SN No. HSRC-202311-03

     

    Edit: Hikvision Security Response Center (HSRC)

     

    Initial Release Date: 2023-11-23

     

    Summary

    Some Hikvision products have been affected by an authentication bypass vulnerability in the Hik-Connect Module, which could allow remote attackers to consume services by sending crafted messages to the affected devices.

     

    CVE ID

    CVE-2023-48121

     

    Scoring

    CVSS v3.1 is adopted in this vulnerability scoring.

     

    (http://www.first.org/cvss/specification-document)

     

    Base score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

     

    Affected Versions

    No

    Product Name

    Affected Versions

    1

    DS-2CV1xxx

    build date before 231108

    2

    DS-2CV2xxx

    build date before 231108

    3

    DS-2CD1xxx

    build date before 230614

    4

    DS-2CD2xx1

    DS-2CD2xx3

    DS-2CD2xx6

    DS-2CD2xx7

    build date before 230630

    5 DS-2CD2xx2
    DS-2CD2xx0

    build date before 231110

    6

    DS-2CD2xxx-W

    build date before 230831

    7

    DS-2CD3xxx

    build date before 210429

    8

    HWI-xxxx

    build date before 231108

    9

    IPC-xxx

    build date before 230614

    10

    DS-2DE4xxx

    build date before 230519

    11

    DS-2DE2Axx

    build date before 230612

    12

    iDS-EXXHUH
    DS-EXXHGH
    iDS-EXXHQH
    DVR-EXXHUH

    build date before 230825 

    13

    iDS-72XXHQH-M(C)
    iDS-72XXHUH-M(C)
    iDS-72XXHQH-M(E)
    iDS-72XXHUH-M(E)
    iDS-72XXHTH-M(C)
    HW-HWD-72XXMH-G4
    HW-HWD-62XXMH-G4
    HL-DVR-216Q-K2(E)

    build date before 230823

    14

    DS-71XXHGH-M(C)
    DS-72XXHGH-M(C)
    DS-71XXHGH-K(S)
    DS-72XXHGH-K(S)
    HL-DVR-1XXG-K(S)
    HL-DVR-2XXG-K(S)
    HL-DVR-1XXG-M(C)
    HL-DVR-2XXG-M(C)
    HW-HWD-51XXH(S)
    HW-HWD-51XXH-G
    HW-HWD-51XXMH-G
    iDS-71xxHQH-M(C)
    iDS-71xxHQH-M(E)
    iDS-72xxHQH-M/E(C)
    iDS-72xxHQH-M/E(E)
    HL-DVR-2XXQ-M(C)
    HL-DVR-2XXQ-M(E)
    HW-HWD-61XXMH-G4
    HW-HWD-61XXMH-G4(E)
    iDS-71xxHUH-M(C)
    iDS-72xxHUH-M/E(C)
    iDS-71xxHUH-M(E)
    iDS-72xxHUH-M/E(E)
    HL-DVR-2XXU-M(C)
    HL-DVR-2XXU-M(E)
    HW-HWD-71XXMH-G4
    HW-HWD-71XXMH-G4(E)

    build date before 230913

    15

    DS-76xxNI-Q1(/xP)(D)
    DS-76xxNI-Q2(/xP)(D)
    DS-77xxNI-Q4(/xP)(D)
    DS-76xxNXI-K1(/xP)(B)
    NVR-2xx(M)H(-xP)-C(D)
    NVR-1xx(M)H(-xP)-C(D)
    HW-HWN-42xx(M)H(-xP)(D)
    HW-HWN-41xx(M)H(-xP)(D)

    build date before 230620

    16

    DS-71xxNI-Q1(/xP)(/M)(D)
    DS-76xxNI-Q1(C)
    DS-76xxNI-Q2(C)
    DS-76xxNI-K1(C)
    HL-NVR-1xx(M)H-D(D)
    HW-HWN-21xx(M)H(-xP)(D)
    HW-HWN-41xxMH(C)
    HW-HWN-42xxMH(C)
    HL-NVR-1xxMH-C(C)
    HL-NVR-2xxMH-C(C)

    build date before 230707

    17

    DS-76xxNI-K2
    DS-77xxNI-K4

    build date before 230712

    18

    HL-NVR-EXXMH-D/4P(SSD 1T)
    HL-NVR-EXXMH-D/4P(SSD 2T)
    DS-EXXNI-Q1(SSD 1T)
    DS-EXXNI-Q1(SSD 2T)

    build date before 230925

     

     

    Precondition

    The attacker has network access to the device.

     

    Attack Step

    Send a specially crafted malicious message.

     

    Obtaining Fixed Version

    Users can download the patch on the Hikvision official website.

     

    Source of Vulnerability Information

    The vulnerability was reported to EZVIZ Security Team by Joern (@joerngermany).

     

    Contact Us

    To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hrbaojie.com.

     

    Hikvision would like to thank all security researchers for your attention to our products.

     

    This Security Notice is released and updated based on Hikvision's current investigation results and is subject to changes. 

     

    2023-11-23 V1.0 INITIAL

    2023-11-29 V1.1 UPDATED: Updated Affected Versions

    2023-12-04 V1.2 UPDATED: Updated Affected Versions

    Contact Us
    Hik-Partner Pro close
    Hik-Partner Pro
    Hik-Partner Pro
    Scan and download the app
    Download
    Hik-Partner Pro
    Hik-Partner Pro

    Get a better browsing experience

    You are using a web browser we don’t support. Please try one of the following options to have a better experience of our web content.