OS command injection in multiple Hikvision products



Published: 2022-02-25 | Updated: 2023-07-19
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-36260
CWE-ID CWE-78
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
Subscribe 		DS-2CVxxx1
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CVxxx6
Hardware solutions / Office equipment, IP-phones, print servers

HWI-xxxx
Hardware solutions / Office equipment, IP-phones, print servers

IPC-xxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD1xx1
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD1x23G0E(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD1x43(B)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD1x43(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD1x43G0E
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD1x53(B)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD1x53(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD1xx7G0
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2xx6G2
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2xx6G2(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2xx7G2
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2xx7G2(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2x21G0(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2x21G1(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2xx3G2
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD3xx6G2
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD3xx6G2(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD3xx7G2
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD3xx7G2(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD3xx7G0E
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD3x21G0
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD3x21G0(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD3x51G0(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD3xx3G2
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD4xx0
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD4xx6
Hardware solutions / Office equipment, IP-phones, print servers

iDS-2XM6810
Hardware solutions / Office equipment, IP-phones, print servers

iDS-2CD6810
Hardware solutions / Office equipment, IP-phones, print servers

DS-2XE62x2F(D)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2XC66x5G0
Hardware solutions / Office equipment, IP-phones, print servers

DS-2XE64x2F(B)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD8Cx6G0
Hardware solutions / Office equipment, IP-phones, print servers

(i)DS-2PTxxxx
Hardware solutions / Office equipment, IP-phones, print servers

(i)DS-2SE7xxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2DYHxxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2DY9xxxx
Hardware solutions / Office equipment, IP-phones, print servers

PTZ-Nxxxx
Hardware solutions / Office equipment, IP-phones, print servers

HWP-Nxxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2DF5xxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2DF6xxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2DF6xxxx-Cx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2DF7xxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2DF8xxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2DF9xxxx
Hardware solutions / Office equipment, IP-phones, print servers

iDS-2PT9xxxx
Hardware solutions / Office equipment, IP-phones, print servers

iDS-2SK7xxxx
Hardware solutions / Office equipment, IP-phones, print servers

iDS-2SK8xxxx
Hardware solutions / Office equipment, IP-phones, print servers

iDS-2SR8xxxx
Hardware solutions / Office equipment, IP-phones, print servers

iDS-2VSxxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2TBxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-Bxxxx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2TDxxxxB
Hardware solutions / Office equipment, IP-phones, print servers

DS-2TD1xxx-xx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2TD2xxx-xx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2TD41xx-xx/Wx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2TD62xx-xx/Wx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2TD81xx-xx/Wx
Hardware solutions / Office equipment, IP-phones, print servers

DS-2TD4xxx-xx/V2
Hardware solutions / Office equipment, IP-phones, print servers

DS-2TD62xx-xx/V2
Hardware solutions / Office equipment, IP-phones, print servers

DS-2TD81xx-xx/V2
Hardware solutions / Office equipment, IP-phones, print servers

DS-76xxNI-K1xx(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-76xxNI-Qxx(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-HiLookI-NVR-1xxMHxx-C(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-HiLookI-NVR-2xxMHxx-C(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-HiWatchI-HWN-41xxMHxx(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-HiWatchI-HWN-42xxMHxx(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-71xxNI-Q1xx(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-HiLookI-NVR-1xxMHxx-D(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-HiLookI-NVR-1xxHxx-D(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-HiWatchI-HWN-21xxMHxx(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-HiWatchI-HWN-21xxHxx(C)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD1x23G0
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2xx1G0
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2xx1G1
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2x27G1
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD2x27G3E
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD4xx6FWD (Non-ANPR)
Hardware solutions / Office equipment, IP-phones, print servers

DS-2CD4xx5G0
Hardware solutions / Office equipment, IP-phones, print servers

DS-2XE6xx5G0
Hardware solutions / Office equipment, IP-phones, print servers

DS-2XE6xx2F
Hardware solutions / Office equipment, IP-phones, print servers

DS-2XM6xx2FWD
Hardware solutions / Office equipment, IP-phones, print servers

DS-2XM6xx2G0
Hardware solutions / Office equipment, IP-phones, print servers

(i)DS-2DExxxx
Hardware solutions / Office equipment, IP-phones, print servers

Vendor Hikvision

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) OS Command Injection

EUVDB-ID: #VU60887

Risk: High

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-36260

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DS-2CVxxx1: before 210625

DS-2CVxxx6: All versions

HWI-xxxx: All versions

IPC-xxxx: All versions

DS-2CD1xx1: All versions

DS-2CD1x23G0E(C): All versions

DS-2CD1x43(B): All versions

DS-2CD1x43(C): All versions

DS-2CD1x43G0E: All versions

DS-2CD1x53(B): All versions

DS-2CD1x53(C): All versions

DS-2CD1xx7G0: All versions

DS-2CD2xx6G2: All versions

DS-2CD2xx6G2(C): All versions

DS-2CD2xx7G2: All versions

DS-2CD2xx7G2(C): All versions

DS-2CD2x21G0(C): All versions

DS-2CD2x21G1(C): All versions

DS-2CD2xx3G2: All versions

DS-2CD3xx6G2: All versions

DS-2CD3xx6G2(C): All versions

DS-2CD3xx7G2: All versions

DS-2CD3xx7G2(C): All versions

DS-2CD3xx7G0E: All versions

DS-2CD3x21G0: All versions

DS-2CD3x21G0(C): All versions

DS-2CD3x51G0(C): All versions

DS-2CD3xx3G2: All versions

DS-2CD4xx0: All versions

DS-2CD4xx6: All versions

iDS-2XM6810: All versions

iDS-2CD6810: All versions

DS-2XE62x2F(D): All versions

DS-2XC66x5G0: All versions

DS-2XE64x2F(B): All versions

DS-2CD8Cx6G0: All versions

(i)DS-2PTxxxx: All versions

(i)DS-2SE7xxxx: All versions

DS-2DYHxxxx: All versions

DS-2DY9xxxx: All versions

PTZ-Nxxxx: All versions

HWP-Nxxxx: All versions

DS-2DF5xxxx: All versions

DS-2DF6xxxx: All versions

DS-2DF6xxxx-Cx: All versions

DS-2DF7xxxx: All versions

DS-2DF8xxxx: All versions

DS-2DF9xxxx: All versions

iDS-2PT9xxxx: All versions

iDS-2SK7xxxx: All versions

iDS-2SK8xxxx: All versions

iDS-2SR8xxxx: All versions

iDS-2VSxxxx: All versions

DS-2TBxxx: All versions

DS-Bxxxx: All versions

DS-2TDxxxxB: All versions

DS-2TD1xxx-xx: All versions

DS-2TD2xxx-xx: All versions

DS-2TD41xx-xx/Wx: All versions

DS-2TD62xx-xx/Wx: All versions

DS-2TD81xx-xx/Wx: All versions

DS-2TD4xxx-xx/V2: All versions

DS-2TD62xx-xx/V2: All versions

DS-2TD81xx-xx/V2: All versions

DS-76xxNI-K1xx(C): All versions

DS-76xxNI-Qxx(C): All versions

DS-HiLookI-NVR-1xxMHxx-C(C): All versions

DS-HiLookI-NVR-2xxMHxx-C(C): All versions

DS-HiWatchI-HWN-41xxMHxx(C): All versions

DS-HiWatchI-HWN-42xxMHxx(C): All versions

DS-71xxNI-Q1xx(C): All versions

DS-HiLookI-NVR-1xxMHxx-D(C): All versions

DS-HiLookI-NVR-1xxHxx-D(C): All versions

DS-HiWatchI-HWN-21xxMHxx(C): All versions

DS-HiWatchI-HWN-21xxHxx(C): All versions

DS-2CD1x23G0: All versions

DS-2CD2xx1G0: All versions

DS-2CD2xx1G1: All versions

DS-2CD2x27G1: All versions

DS-2CD2x27G3E: All versions

DS-2CD4xx6FWD (Non-ANPR): All versions

DS-2CD4xx5G0: All versions

DS-2XE6xx5G0: All versions

DS-2XE6xx2F: All versions

DS-2XM6xx2FWD: All versions

DS-2XM6xx2G0: All versions

(i)DS-2DExxxx: All versions

External links

http://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###