[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVE-2017-14953 - Hikvision Wi-Fi IP Cameras associate to a default unencrypted rogue SSIDs in a
From: IOT Sec <iot_sec () mailfence ! com>
Date: 2017-11-28 3:47:04
Message-ID: 87572015.50338.1511840824613 () ichabod ! co-bxl
[Download RAW message or body]
Hikvision Wi-Fi IP Cameras associate to a default unencrypted rogue SSIDs in a wired \
configuration Full disclosure
Nov 27, 2017
Synopsis:
---
HikVision Wi-Fi IP cameras come with a default SSID "davinci", with a setting of no WiFi \
encryption or authentication. Depending on the firmware version, there is no configuration \
option within the camera to turn off Wi-Fi. If a camera is deployed via wired ethernet, then \
the WiFi settings won't be adjusted, and a rogue AP with the SSID "davinci" can be associated \
to the camera to provide a new attack vector via WiFi to a wired network camera.
Risk:
---
The security exposure provides an unexpected attack surface via Wi-Fi in a camera deployed in a \
wired environment. Devices running a firmware prior to v5.4.5 can be attacked via an access \
control bypass. http://seclists.org/fulldisclosure/2017/Sep/23 The camera will also do a DHCP \
on its wireless interface, so the rogue AP subnet would get preference versus a L3 adjacent \
NVR/viewer, performing a denial of service.
Mitigation:
---
The mitigation since the Wi-Fi cannot be turned off, is to specify a complex WPA2-PSK AES key. \
With this the camera will try to associate to a wireless PSK that doesn't exist, and it is \
unlikely that the attacker will be able to guess the complex key. Via the web interface:
Configuration -> Network -> Advanced Settings -> Wi-Fi
Set Security Mode to: "WPA2-personal"
Set Encryption Type to: "AES"
Set Key 1 to: A random long string of characters
Enable WPS: Uncheck
Vulnerability details:
---
Tested Model Number (Confirmed): DS-2CD2432F-IW
Tested Firmware Versions (Confirmed): 5.3.0, 5.4.0, 5.4.5
Exploit: Camera is hardwired via ethernet. Wi-Fi is unconfigured (by default).
Set up a rogue Wi-Fi access point with an SSID of "davinci" with no encryption.
The camera will associate with the rogue access point. There is no configuration option for \
the administrator to turn off WiFi. If the rogue access point offers DHCP the camera will get a \
dynamic address and be remotely accessible within Wi-Fi range. Combined with previous firmware \
exploits an attacker could remotely exploit or disable the camera simply by being within Wi-Fi \
range. The attack also circumvents any wired network security that may have been deployed on \
that segment, such as Firewalls, ACLs, turning off UPnP.
Timeline:
---
June 1, 2017 - Reported to security.usa@hikvision.com - No Response
June 6, 2017 - Reported again to security.usa@hikvision.com - No Response
September 29, 2017 - Reported again to security.usa@hikvision.com - No Response
September 29, 2017 - Reported to techsupport.usa@hikvision.com - Automated Response only - No \
follow up September 29, 2017 - Reported to CERT. Tracking as VU#768573.
September 29, 2017 - Reported to MITRE. Assigned CVE-2017-14953.
October 3, 2017 - Reported to ICS-CERT upon CERT's recommendation - No response.
October 3, 2017 - Hikvision responds.
November 27, 2017 - Mutually agreed disclosure date. Exposure details released in the full \
disclosure distribution list.
Possibly affected camera model numbers (Wi-Fi) [unconfirmed]:
DS-2CD2112F-IWS
DS-2CD2132F-IWS
DS-2CD2522FWD-IWS
DS-2CD2542FWD-IWS
DS-2CD2412F-IW
DS-2CD2422FWD-IW
DS-2CD2432F-IW
DS-2CD2023G0D-IW2
DS-2CD2123G0D-IW2
DS-2DE2204IW-DE3/W
Rebranded products possibly affected [unconfirmed]:
ANNKE I61DR IP Camera 2MP 1080P HD Two-way audio
Amazon Name: ANNKE Wireless Cube Camera 1080P 2.0 Megapixel WiFi Network IP Camera
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic