Lucene search
This script is Copyright %28c%29 2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_HIKVISION_CVE-2024-29948.NASLHistoryJul 22, 2024 - 12:00 a.m.
Hikvision Video Recorders Command Injection (CVE-2024-29948)
2024-07-2200:00:00
This script is Copyright %28c%29 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
47
hikvision video recorders
command injection
cve-2024-29948
file data
tenable ot
scanner
CVSS3
3.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L
AI Score
8
Confidence
High
There is a command injection vulnerability in some Hikvision NVRs. This could allow an authenticated user with administrative rights to execute arbitrary commands.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# %28c%29 Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(502297);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/23");
script_cve_id("CVE-2024-29948");
script_name(english:"Hikvision Video Recorders Command Injection (CVE-2024-29948)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"There is a command injection vulnerability in some Hikvision NVRs.
This could allow an authenticated user with administrative rights to execute arbitrary commands.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
# https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikvision-nvr-devices/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?01677c26");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
script_set_cvss3_base_vector("CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-29948");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(78);
script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/02");
script_set_attribute(attribute:"patch_publication_date", value:"2024/04/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/07/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:hikvision:ds-7604nxi-k1%2f4p");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright %28c%29 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Hikvision");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Hikvision');
var asset = tenable_ot::assets::get(vendor:'Hikvision');
var vuln_cpes = {
"cpe:/o:hikvision:ds-7604nxi-k1%2f4p" :
{"family" : "HikvisionVideoRecordersProSeries", "versionEndIncluding" : "V4.76.005_build231012"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_NOTE);
Related
vulnrichment
vulnrichment
CVE-2024-29948
2024-04-02 11:07:04
cvelist
cvelist
CVE-2024-29948
2024-04-02 11:07:04
nvd
nvd
CVE-2024-29948
2024-04-02 11:15:51
cve
cve
CVE-2024-29948
2024-04-02 11:15:51
CVSS3
3.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L
AI Score
8
Confidence
High
Related for TENABLE_OT_HIKVISION_CVE-2024-29948.NASL