OVERVIEW
IPVM (Bashis) identified three vulnerabilities in Hanwha cameras and reported them to Hanwha S-CERT on February 7th, 2023.
| Vulnerability | Description |
|---|---|
| Authenticated Command Injection | Randomly injecting a command into the folder mount point of the NAS function and executing a Linux command. |
| DoS of WS Discovery and Hanwha proprietary discovery services | After injecting EMPTY packets into the 3702 / 7701 ports used for device discovery of ONVIF/Device Manager, the discovery function can be disabled. |
| Authenticated XSS | Can be executed by injecting the script into the imageData/backupfileData parameters of /home/setup/imagedownload.cgi. |
AFFECTED PRODUCTS AND FIRMWARE
These vulnerabilities affect the following series models. Please refer to the tables below for affected series, affected firmware versions, and corrected firmware versions.
| Model | Affected Firmware Version | Corrected Firmware Version |
|---|---|---|
| A Series | 1.41.02 and earlier versions | 1.41.03 and later versions |
| Q Series (Basic 2M) | 1.41.13 and earlier versions | 1.41.14 and later versions |
| Q Series (Others) | 1.41.04 and earlier versions | 1.41.05 and later versions |
| PNM Series | 1.33.03 and earlier versions / 2.21.01 and earlier versions | 2.22.00 and later versions |
RISK ANALYSIS
| Vulnerability | Review Opinion | Severity |
|---|---|---|
| Authenticated Command Injection | Hanwha was filtering special characters in the DefaultFolder factor used for the NAS function, but it was confirmed that the command could be executed due to the missing special character '$'. However, this vulnerability requires authentication before it can be executed. |
Middle |
| DoS of WS Discovery and Hanwha proprietary discovery services |
Even if a DoS attack occurs, service limitations occur only in the discovery function to find products on the local network, not in all services of Hanwha Products. RISK MITIGATION: In situations where there is a DoS attack and the firmware cannot be updated, rebooting the device can temporarily solve the problem. ※ Only, this vulnerability affects all Hanwha products. So, all Hanwha products have been released with corrected firmware. (Refer to Section A) |
Low |
| Authenticated XSS | It is difficult to exploit because it is very difficult to run on the actual browser. Also, even if JavaScript is executed, no additional benefits are obtained. This vulnerability requires authentication as well before it can be exploited. | Low |
Current Status and Required Action
Regardless of the severity of the vulnerabilities discovered, Hanwha Vision has resolved these vulnerabilities by releasing corrected firmware.
Please update affected models with the latest firmware. It is recommended to use the Wisenet Device Manager tool to download & update device firmware. Firmware can also be downloaded from the Hanwha Vision website.
If you have any questions, please feel free to reach out to the Hanwha S-CERT team at secure.cctv@hanwha.com or your local Technical Support Team.
A. Release Plan for DoS of WS Discovery and Hanwha proprietary discovery services
| Model | Affected Firmware Version | Corrected Firmware Version |
|---|---|---|
| P Series | 2.11.03 and earlier versions | 2.12.00 and later versions |
| X Series | 2.21.00 and earlier versions | 2.22.00 and later versions |
| T Series | 2.11.11 and earlier versions | 2.12.00 and later versions |
| L Series | 1.41.11 and earlier versions | 1.41.12 and later versions |
| Encoder | 2.11.03 and earlier versions | 2.21.01 and later versions |
