Researchers with Rapid7 Labs have identified three buffer overflow vulnerabilities in Hikvision digital video recorder (DVR) devices that, if exploited, can enable a remote attacker to gain full control of the device, according to a Wednesday post.
The DVRs are commonly used to record footage taken by surveillance cameras, and while Rapid7 Labs tested a Hikvision-DS-7204-HVI-SV DVR device with firmware V2.2.10 build 131009, the post indicates that other devices in the same model range are also affected.
During the research, roughly 150,000 devices were identified as being remotely accessible. Mark Schloesser, security researcher at Rapid7, told SCMagazine.com in a Thursday email correspondence that small to medium-sized businesses and private customers are believed to be using these devices.
“We did not put together exhaustive statistics on this, but the networks these devices appear in are mostly allocated to dial-up [and] broadband ISPs,” Schloesser said. “The most affected countries are India (21K), China (20K) and Korea (15K), with the U.S. following in fourth place (12k).”
All of the vulnerabilities enable execution of arbitrary code without authentication – CVE-2014-4878 involves exploiting a buffer overflow in the RTSP request body handling, CVE-2014-4879 involves exploiting a buffer overflow in the RTSP request header handling, and CVE-2014-4880 involves exploiting a buffer overflow in the RTSP request basic authentication handling, the post indicates.
The vulnerabilities are all fairly similar, with each one leading to full compromise of the device, Schloesser said, explaining that the attacker could then try to use the device as a proxy to attack more systems, to mine for Bitcoins, or to carry out distributed denial-of-service (DDoS) attacks.
“Implications are mostly privacy concerns for the video surveillance footage and that the devices serve as an entry point into home [and] business networks,” Schloesser said. “The Bitcoin mining itself does not hurt the owner of the device too much (except for wasting electricity) and a DDoS attack just stresses the devices internet connection. On the other hand we all know what a botnet of large enough size can do against other targets than the device owners.”
The Hikvision DVRs come with default administrative account of ‘admin' and a password of ‘12345,' and an attacker can leverage this to compromise the devices without the need for exploiting the vulnerability, Schloesser said.
“The specific devices I looked at allow for remote administration through a web and a telnet interface,” Schloesser said. “Through telnet at least one can run arbitrary code as well and install malware.”
Rapid7 Labs deems the vulnerabilities to be critical because the flaws enable full compromise of the device, Schloesser said, adding that it should be simple for a skilled attacker to exploit the bugs. Rapid7 Labs made several attempts to contact Hikvision, but heard no response.
“Device owners should only access the devices through an authenticated channel such as a proxy or VPN,” Schloesser said. “The device itself should not allow for direct connectivity from the public internet. In addition of course the default credentials need to be changed after setting up the device.”
Hikvision did not respond to a SCMagazine.com request for comment.
