Watchful_IP says that Hikvision confirmed reproducing the vulnerability on June 23, 2021, so even assuming the PRC government did not have this for years, the PRC government has had it for weeks at least. The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days The PRC government has had this vulnerability information as all PRC companies are mandated by PRC law to provide vulnerabilities to the government since September 1 (CORRECTION: this post initially said the government had the info for "months", however, the PRC law went into effect September 1, 2021): This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. PRC Government Has Vulnerability Information For Weeks
BREACH AND CLEAR DEADLINE PORT FORWARD FULL
Neither Hikvision nor the researcher is releasing a full Proof of Concept, but Hikvision describes it as the result of "send a specially crafted message".Ī CVE has been reserved ( CVE-2021-36260), but no information has yet to be published yet. It will not be detectable by any logging on the camera itself. No username or password needed nor any actions need to be initiated by camera owner. Only access to the http(s) server port (typically 80/443) is needed. The researcher describes it as simple to exploit:
While Watchful_IP assessed this is "definitely NOT" a "Chinese Government-mandated backdoor," PRC government-created and -controlled Hikvision poses great risk to users around the world as its government backing has driven it to become the most widely used video surveillance manufacturer globally.Ĭybersecurity concerns are a long-standing issue for Hikvision, e.g., it was US government federally banned by the 2019 NDAA and the US government is planning to ban FCC authorizations for Hikvision, so this admission comes at a critical time for the company. IPVM estimates it impacts 100+ million devices.
BREACH AND CLEAR DEADLINE PORT FORWARD CODE
Hikvision has admitted a 9.8 vulnerability that is "the highest level of critical vulnerability-a zero-click unauthenticated remote code execution" per the researcher, Watchful_IP, who discovered this.
0 kommentar(er)
