← Advisories

Hikvision Digital Video Recorder Cross-Site Request Forgery

Medium
Advisory ID
ZSL-2016-5315
Release Date
08 April 2016
Vendor
Hikvision Digital Technology Co., Ltd - http://www.hikvision.com
Affected Version
LV-D2104CS, DS-7316HFI-ST, DS-7216HVI-SV/A, DS-7208HVI-SH, DS-7204HVI-SH
CVE
N/A
Tested On
Hikvision-Webs
Summary

Hikvision is the global leader of video surveillance products and solutions, manufactures a wide range of top-quality, reliable, and professional solutions.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept
hikvision_csrf.htmlTXT
Disclosure Timeline
19.01.2016Vulnerability discovered.
30.01.2016Vendor contacted.
30.01.2016Vendor responds asking more details.
30.01.2016Sent details to the vendor.
01.02.2016Vendor have issues reproducing.
01.02.2016Sent more details to the vendor.
03.02.2016Vendor working on the issue.
05.02.2016Asked vendor for status update.
11.02.2016No response from the vendor.
12.02.2016Asked vendor for status update.
13.02.2016Vendor scheduled patch release.
18.02.2016Working with the vendor.
26.02.2016Asked vendor for status update.
26.02.2016Vendor informs patch is still in development.
01.03.2016Vendor sends firmware DS-7208HVI-SH patch to ZSL for verification.
01.03.2016ZSL verifies fix.
14.03.2016Asked vendor for scheduled patch release date.
14.03.2016Vendor informs that firmware DS-7208HVI-SH is off production, the issue will be fixed in other products soon.
08.04.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://overseas.hikvision.com/europe/list01_435.html
[2]https://packetstormsecurity.com/files/136629
[3]https://cxsecurity.com/issue/WLB-2016040053
[4]https://www.exploit-db.com/exploits/39677/
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/112141
Changelog
08.04.2016Initial release
10.04.2016Added reference [2] and [3]
11.04.2016Added reference [4]
14.04.2016Added reference [5]