Two of Hikvision’s wireless bridge products, namely DS-3WF0AC-2NT and DS-3WF01C-2N/O are affected by a critical access control vulnerability tracked as CVE-2022-28173 that allows attackers to remotely take over the cameras. The company has since issued patches for both products fixing the vulnerability.
At the moment, affected products and the vulnerable firmware versions are as follows:
- DS-3WF0AC-2NT: versions below V1.1.0
- DS-3WF01C-2N/O: versions below V1.0.4
The bug was first reported to Hikvision in September this year through CERT-India. It was originally discovered by Souvik Kandar and Arko Dhar of the Redinent Innovations team in India on August 11 who then reported it to CERT-India on September 16.
CERT-India had registered the vulnerability by September 27 and it took until November 4 for Hikvision to confirm the bug, upon which the company asked for time to release patches before public disclosure.
According to a notification issued by the company on December 16, the vulnerability lies in the web server of the aforementioned wireless bridges. This allows an attacker to obtain admin privileges and can be exploited by sending a maliciously crafted message to the web server itself.
Redinent’s report claims that the bug is the result of improper parameter handling by the bridge’s web management interface. An attacker needs to create a single web request with a maliciously crafted payload of no more than 200 bytes to exploit the weakness and get admin access. Once inside, the attacker gets full persistent access to the management interface and all functions of the wireless interface.
That said, the attacker needs to be on the same network as the vulnerable devices, provided it’s not exposed to the internet. If a vulnerable device is openly exposed to the internet however, the requirement to be on the same network doesn’t apply.