918博天堂·(中国区)首页

      Security Vulnerability in Some Hikvision Products

      Security Vulnerability in Some Hikvision Products

      SN No. HSRC-202311-03

       

      Edit: Hikvision Security Response Center (HSRC)

       

      Initial Release Date: 2023-11-23

       

      Summary

      Some Hikvision products have been affected by an authentication bypass vulnerability in the Hik-Connect Module, which could allow remote attackers to consume services by sending crafted messages to the affected devices.

       

      CVE ID

      CVE-2023-48121

       

      Scoring

      CVSS v3.1 is adopted in this vulnerability scoring.

       

      (http://www.first.org/cvss/specification-document)

       

      Base score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

       

      Affected Versions

      No

      Product Name

       Affected Versions

      1

      DS-2CV1xxx

      build date before 231108

      2

      DS-2CV2xxx

      build date before 231108

      3

      DS-2CD1xxx

      build date before 230614

      4

      DS-2CD2xx1

      DS-2CD2xx3

      DS-2CD2xx6

      DS-2CD2xx7

      build date before 230630
      5 DS-2CD2xx2
      DS-2CD2xx0

      build date before 231110

      6

      DS-2CD2xxx-W

      build date before 230831

      7

      DS-2CD3xxx

      build date before 210429

      8

      HWI-xxxx

      build date before 231108

      9

      IPC-xxx

      build date before 230614

      10

      DS-2DE4xxx

      build date before 230519

      11

      DS-2DE2Axx

      build date before 230612

      12

      iDS-EXXHUH
      DS-EXXHGH
      iDS-EXXHQH
      DVR-EXXHUH
      DVR-EXXHGH
      DVR-EXXHQH

      V4.71.210 build date before 230825 

      13

      iDS-72XXHQH-M(C)
      iDS-72XXHUH-M(C)
      iDS-72XXHQH-M(E)
      iDS-72XXHUH-M(E)
      iDS-72XXHTH-M(C)
      HW-HWD-72XXMH-G4
      HW-HWD-62XXMH-G4
      HL-DVR-216Q-K2(E)

      V4.71.110 build date before 230823

      14

      DS-71XXHGH-M(C)
      DS-72XXHGH-M(C)
      DS-71XXHGH-K(S)
      DS-72XXHGH-K(S)
      HL-DVR-1XXG-K(S)
      HL-DVR-2XXG-K(S)
      HL-DVR-1XXG-M(C)
      HL-DVR-2XXG-M(C)
      HW-HWD-51XXH(S)
      HW-HWD-51XXH-G
      HW-HWD-51XXMH-G
      iDS-71xxHQH-M(C)
      iDS-71xxHQH-M(E)
      iDS-72xxHQH-M/E(C)
      iDS-72xxHQH-M/E(E)
      HL-DVR-2XXQ-M(C)
      HL-DVR-2XXQ-M(E)
      HW-HWD-61XXMH-G4
      HW-HWD-61XXMH-G4(E)
      iDS-71xxHUH-M(C)
      iDS-72xxHUH-M/E(C)
      iDS-71xxHUH-M(E)
      iDS-72xxHUH-M/E(E)
      HL-DVR-2XXU-M(C)
      HL-DVR-2XXU-M(E)
      HW-HWD-71XXMH-G4
      HW-HWD-71XXMH-G4(E)

      V4.71.131 build date before 230913
       

      15

      DS-76xxNI-Q1(/xP)(D)
      DS-76xxNI-Q2(/xP)(D)
      DS-77xxNI-Q4(/xP)(D)
      DS-76xxNXI-K1(/xP)(B)
      NVR-2xx(M)H(-xP)-C(D)
      NVR-1xx(M)H(-xP)-C(D)
      HW-HWN-42xx(M)H(-xP)(D)
      HW-HWN-41xx(M)H(-xP)(D)

      V4.75.000 build date before 230620

      16

      DS-71xxNI-Q1(/xP)(/M)(D)
      DS-76xxNI-Q1(C)
      DS-76xxNI-Q2(C)
      DS-76xxNI-K1(C)
      HL-NVR-1xx(M)H-D(D)
      HW-HWN-21xx(M)H(-xP)(D)
      HW-HWN-41xxMH(C)
      HW-HWN-42xxMH(C)
      HL-NVR-1xxMH-C(C)
      HL-NVR-2xxMH-C(C)

      V4.74.100 build date before 230707

      17

      DS-76xxNI-K2
      DS-77xxNI-K4

      V4.74.205 build date before 230712

      18

      HL-NVR-EXXMH-D/4P(SSD 1T)
      HL-NVR-EXXMH-D/4P(SSD 2T)
      DS-EXXNI-Q1(SSD 1T)
      DS-EXXNI-Q1(SSD 2T)

      V4.30.075 build date before 230925

       

       

      Precondition

      The attacker has network access to the device.

       

      Attack Step

      Send a specially crafted malicious message.

       

      Obtaining Fixed Version

      Users can download the patch on the Hikvision official website.

       

      Source of Vulnerability Information

      The vulnerability was reported to EZVIZ Security Team by Joern (@joerngermany).

       

      Contact Us

      To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hrbaojie.com.

      Hikvision would like to thank all security researchers for your attention to our products.

       

      2023-11-23 V1.0 INITIAL

      2023-11-29 V1.1 UPDATED: Updated Affected Versions

      Contact Us
      Hik-Partner Pro close
      Hik-Partner Pro
      Hik-Partner Pro
      Scan and download the app
      Download
      Hik-Partner Pro
      Hik-Partner Pro
      back to top

      Get a better browsing experience

      You are using a web browser we don』t support. Please try one of the following options to have a better experience of our web content.

      • browser-chorme
      • browser-edge
      • browser-safari
      • browser-firefox