Hikivision IP Camera Command Injection Vulnerability

2023-01-1300:00:00

www.tenable.com

The Hikivision Product is affected by a Command Injection Vulnerability in the web server component of its user interface. As such, a remote unauthenticated attacker can cause the product to run commands via the language tags.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version and build numbers.

#%NASL_MIN_LEVEL 80900

include('compat.inc');

if (description)
{
  script_id(170037);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/11");

  script_cve_id("CVE-2021-36260");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/01/24");

  script_name(english:"Hikivision IP Camera Command Injection Vulnerability");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a command injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Hikivision Product is affected by a Command Injection Vulnerability in the web server component
of its user interface. As such, a remote unauthenticated attacker can cause the product to run commands via the 
language tags.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
and build numbers.");
  # https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fdaf1c58");
  # https://us-cert.cisa.gov/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6eb159d8");
  script_set_attribute(attribute:"solution", value:
"See vendor advisory");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-36260");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Hikvision IP Camera Unauthenticated Command Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/09/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:hikvision:ip_cameras");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("hikvision_www_detect.nbin");
  script_require_keys("Host/Hikvision IP Camera/build", "Host/Hikvision IP Camera/version", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('http.inc');

var app_name = 'Hikvision IP Camera';
var port = get_http_port(default:80);
var app_info = vcf::get_app_info(app:'Hikvision IP Camera', port:port, webapp:TRUE);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

var constraint_pre4 = [{'fixed_version' : '4.30.0' }];
var constraint_4 = [{ 'min_version' : '4.30.210', 'max_version' : '4.31.100' }];  
var constraint_5 = [{ 'min_version' : '5.0.0', 'fixed_version' : '5.5.0' }];

var report = '';

var version = vcf::parse_version(app_info.version);
var build = int(app_info.Build);

#Paranoid due to model check requirements. The rest of this should have no false positives if run on a affected Camera.
var check = vcf::check_version(version:version, constraints:constraint_5);

if (!empty_or_null(check)) report = "Update to 5.5.0";

check = vcf::check_version(version:version, constraints:constraint_pre4);
if (!empty_or_null(check))
{
    if (build < 210625) report = "See Vendor Advisory";
}
check = vcf::check_version(version:version, constraints:constraint_4);

if (!empty_or_null(check))
{
  if (201224 <= build && build < 210511) report = "See Vendor Advisory";
}

if (report == '') audit(AUDIT_HOST_NOT, 'affected');

{
report = 
    '\n  Installed version : ' + app_info.version
  + '\n  Build version     : ' + app_info.Build 
  + '\n  Fixed version     : ' + report + '\n';
}

security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);

VendorProductVersionCPE
hikvisionip_camerascpe:/h:hikvision:ip_cameras

Vendor	Product	Version	CPE
hikvision	ip_cameras		cpe:/h:hikvision:ip_cameras

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36260

www.nessus.org/u?6eb159d8

www.nessus.org/u?fdaf1c58

JSON

Related for HIKIVISION_CVE-2021-36260.NASL