01304 827609 info@use-ip.co.uk Find us

Please Read: Hik-Connect Module Vulnerability Patch (CVE-2023-48121)

Phil

Phil

Administrator
Staff member
Trusted Member
Messages
5,036
Points
113
Hikvision have declared a vulnerability that affects the below devices, and recommends that you update your device(s) to the latest available firmware ASAP.

Hikvision has issued a patch, available on our website, to fix a vulnerability (CVE-2023-48121) in some Hikvision products.

The vulnerability has been rated as 8.2 using the CVSS v3.1 calculator. The list of products affected by the vulnerability can be found in our Security Notification. While Hikvision is not aware of this vulnerability being exploited in the field, we recognize that many of our partners may have installed Hikvision equipment that is affected by this vulnerability and we strongly encourage them to work with their customers to install the patch and ensure proper cyber hygiene. Unpatched devices are not vulnerable unless Hik-Connect is enabled, however, Hikvision recommends the patch be installed regardless of the use of Hik-Connect.

The vulnerability is found in an SDK developed by EZVIZ, which is integrated into a Hik-Connect module for cloud-related services.

Hikvision takes cybersecurity very seriously and has a long track record of responsibly and publicly disclosing vulnerabilities and patches. The company strictly complies with the laws and regulations in all countries and regions where we operate, and we apply the highest standards of cybersecurity practices in an effort to best protect the users of Hikvision products around the world.
Click to expand...

The affected devices are listed below:

Affected Versions
NoProduct Name Affected Versions
1DS-2CV1xxxbuild date before 231108
2DS-2CV2xxxbuild date before 231108
3DS-2CD1xxxbuild date before 230614
4DS-2CD2xxxbuild date before 231110
5DS-2CD2xxx-Wbuild date before 230831
6DS-2CD3xxxbuild date before 210429
7HWI-xxxxbuild date before 231108
8IPC-xxxbuild date before 230614
9DS-2DE4xxxbuild date before 230519
10DS-2DE2Axxbuild date before 230612
11iDS-EXXHUH
DS-EXXHGH
iDS-EXXHQH
DVR-EXXHUH
DVR-EXXHGH
DVR-EXXHQH		V4.71.210 build date before 230825
12iDS-72XXHQH-M(C)
iDS-72XXHUH-M(C)
iDS-72XXHQH-M(E)
iDS-72XXHUH-M(E)
iDS-72XXHTH-M(C)
HW-HWD-72XXMH-G4
HW-HWD-62XXMH-G4
HL-DVR-216Q-K2(E)		V4.71.110 build date before 230823
13DS-71XXHGH-M(C)
DS-72XXHGH-M(C)
DS-71XXHGH-K(S)
DS-72XXHGH-K(S)
HL-DVR-1XXG-K(S)
HL-DVR-2XXG-K(S)
HL-DVR-1XXG-M(C)
HL-DVR-2XXG-M(C)
HW-HWD-51XXH(S)
HW-HWD-51XXH-G
HW-HWD-51XXMH-G
iDS-71xxHQH-M(C)
iDS-71xxHQH-M(E)
iDS-72xxHQH-M/E(C)
iDS-72xxHQH-M/E(E)
HL-DVR-2XXQ-M(C)
HL-DVR-2XXQ-M(E)
HW-HWD-61XXMH-G4
HW-HWD-61XXMH-G4(E)
iDS-71xxHUH-M(C)
iDS-72xxHUH-M/E(C)
iDS-71xxHUH-M(E)
iDS-72xxHUH-M/E(E)
HL-DVR-2XXU-M(C)
HL-DVR-2XXU-M(E)
HW-HWD-71XXMH-G4
HW-HWD-71XXMH-G4(E)		V4.71.131 build date before 230913
14DS-76xxNI-Q1(/xP)(D)
DS-76xxNI-Q2(/xP)(D)
DS-77xxNI-Q4(/xP)(D)
DS-76xxNXI-K1(/xP)(B)
NVR-2xx(M)H(-xP)-C(D)
NVR-1xx(M)H(-xP)-C(D)
HW-HWN-42xx(M)H(-xP)(D)
HW-HWN-41xx(M)H(-xP)(D)		V4.75.000 build date before 230620
15DS-71xxNI-Q1(/xP)(/M)(D)
DS-76xxNI-Q1(C)
DS-76xxNI-Q2(C)
DS-76xxNI-K1(C)
HL-NVR-1xx(M)H-D(D)
HW-HWN-21xx(M)H(-xP)(D)
HW-HWN-41xxMH(C)
HW-HWN-42xxMH(C)
HL-NVR-1xxMH-C(C)
HL-NVR-2xxMH-C(C)		V4.74.100 build date before 230707
16DS-76xxNI-K2
DS-77xxNI-K4		V4.74.205 build date before 230712
17HL-NVR-EXXMH-D/4P(SSD 1T)
HL-NVR-EXXMH-D/4P(SSD 2T)
DS-EXXNI-Q1(SSD 1T)
DS-EXXNI-Q1(SSD 2T)		V4.30.075 build date before 230925

You should be able to find new firmware for your device by navigating from here
 
NB - If you look and the list of devices covered and note that Hikvision have stated, for example DS-2CD2xxx (build date before 231110) - then just that one catchall line in the list covers an awful lot of camera models!

And, the build date is quite recent.

Therefore, it probably means that YOU need to check for new firmware for each of your devices ...
 
Thanks Phil. All eight of my cameras are affected. Now to try and find the U.S. firmware folder that seems to change several times a year...

Edit - for the Yankees out there: Firmware
 
@Phil I'm having trouble finding my firmware. I have eight G1 cameras and neither the U.S. nor the U.K. websites have any G1 firmware that I can find. Current firmware for all eight is 5.6.5 200316

I have seven DS-2CD2347G1-L cameras, and one DS-CD2455FWD-IW. All G1's, but there's no firmware whatsoever listed - even old versions. In fact, the search box shows nothing at all for G1 cameras.
 
Hi @fullboogie

After @Phil posted the above he asked us to look through our own office system and update any relevant models and we found the same problem.

It appears that Hikvision might have jumped the gun and put out their statement before most of the fixed firmware versions have actually been released (they've got a track record for announcing things before they are available :) ).

Keep checking the portals/websites over the weekend, we'll check again next week and if it still looks like lots of the firmware has not been updated we will contact Hikivison to find out where/when the firmware is available.
 
Thank you @Dan. Seems odd that all references to G1's are gone, even old firmware versions. But I'll keep looking - thanks.
 
I just update my 7608NI-K1 (C) to this firmware version: 4.75.200 build 231110 directly from HIK-Partner PRO.
After the update, I searched the HIKVISION PORTAL and found nothing!
 

Attachments

  • Screenshot_20231124_213431_Hik-Partner Pro.jpg
    Screenshot_20231124_213431_Hik-Partner Pro.jpg
    130 KB · Views: 87
  • Screenshot_20231124_213301_Hik-Partner Pro.jpg
    Screenshot_20231124_213301_Hik-Partner Pro.jpg
    128.6 KB · Views: 101
  • Screenshot_20231124_213119_Hik-Partner Pro.jpg
    Screenshot_20231124_213119_Hik-Partner Pro.jpg
    126.3 KB · Views: 108
@Dan is trying to get further info from Hikvision UK Tech Support on this.
The notes for the vulnerability indicate that almost every device is affected.
But there seem to be very few firmware updates available.
We will update here if/when we can explain further ...
 
Hikvision UK Tech Support have told us today that:

The other fixed firmware will be released gradually.


Please don't shoot the messenger; I can only apologise that fixed firmware is not yet available :(

If you do spot new firmware releases, please add a Post to this thread as & when,

Sorry / Thanks
 
UPDATE: We've spoken to Hikvision support and they haven't been able to give us any great detail but have confirmed that fixed firmware will be released gradually over time.

One other thing, we have just noticed that the affected versions table from the Hikvision website has been updated and it does change the situation a bit, see new table below:

Affected Versions
NoProduct Name Affected Versions
1DS-2CV1xxxbuild date before 231108
2DS-2CV2xxxbuild date before 231108
3DS-2CD1xxxbuild date before 230614
4DS-2CD2xx1
DS-2CD2xx3
DS-2CD2xx6
DS-2CD2xx7		build date before 230630
5DS-2CD2xx2
DS-2CD2xx0		build date before 231110
6DS-2CD2xxx-Wbuild date before 230831
7DS-2CD3xxxbuild date before 210429
8HWI-xxxxbuild date before 231108
9IPC-xxxbuild date before 230614
10DS-2DE4xxxbuild date before 230519
11DS-2DE2Axxbuild date before 230612
12iDS-EXXHUH
DS-EXXHGH
iDS-EXXHQH
DVR-EXXHUH
DVR-EXXHGH
DVR-EXXHQH		V4.71.210 build date before 230825
13iDS-72XXHQH-M(C)
iDS-72XXHUH-M(C)
iDS-72XXHQH-M(E)
iDS-72XXHUH-M(E)
iDS-72XXHTH-M(C)
HW-HWD-72XXMH-G4
HW-HWD-62XXMH-G4
HL-DVR-216Q-K2(E)		V4.71.110 build date before 230823
14DS-71XXHGH-M(C)
DS-72XXHGH-M(C)
DS-71XXHGH-K(S)
DS-72XXHGH-K(S)
HL-DVR-1XXG-K(S)
HL-DVR-2XXG-K(S)
HL-DVR-1XXG-M(C)
HL-DVR-2XXG-M(C)
HW-HWD-51XXH(S)
HW-HWD-51XXH-G
HW-HWD-51XXMH-G
iDS-71xxHQH-M(C)
iDS-71xxHQH-M(E)
iDS-72xxHQH-M/E(C)
iDS-72xxHQH-M/E(E)
HL-DVR-2XXQ-M(C)
HL-DVR-2XXQ-M(E)
HW-HWD-61XXMH-G4
HW-HWD-61XXMH-G4(E)
iDS-71xxHUH-M(C)
iDS-72xxHUH-M/E(C)
iDS-71xxHUH-M(E)
iDS-72xxHUH-M/E(E)
HL-DVR-2XXU-M(C)
HL-DVR-2XXU-M(E)
HW-HWD-71XXMH-G4
HW-HWD-71XXMH-G4(E)		V4.71.131 build date before 230913
15DS-76xxNI-Q1(/xP)(D)
DS-76xxNI-Q2(/xP)(D)
DS-77xxNI-Q4(/xP)(D)
DS-76xxNXI-K1(/xP)(B)
NVR-2xx(M)H(-xP)-C(D)
NVR-1xx(M)H(-xP)-C(D)
HW-HWN-42xx(M)H(-xP)(D)
HW-HWN-41xx(M)H(-xP)(D)		V4.75.000 build date before 230620
16DS-71xxNI-Q1(/xP)(/M)(D)
DS-76xxNI-Q1(C)
DS-76xxNI-Q2(C)
DS-76xxNI-K1(C)
HL-NVR-1xx(M)H-D(D)
HW-HWN-21xx(M)H(-xP)(D)
HW-HWN-41xxMH(C)
HW-HWN-42xxMH(C)
HL-NVR-1xxMH-C(C)
HL-NVR-2xxMH-C(C)		V4.74.100 build date before 230707
17DS-76xxNI-K2
DS-77xxNI-K4		V4.74.205 build date before 230712
18HL-NVR-EXXMH-D/4P(SSD 1T)
HL-NVR-EXXMH-D/4P(SSD 2T)
DS-EXXNI-Q1(SSD 1T)
DS-EXXNI-Q1(SSD 2T)		V4.30.075 build date before 230925

As an example, see row 4 of the table which previously covered all DS-2CD2xxx models which needed to be on build version 231110 or newer, but the new table at the Hikvision website now says that only 2CD2xx0 and 2xx2 models need to be on that build version and newer and all other models (DS-2CD2xx1, DS-2CD2xx3, DS-2CD2xx6, DS-2CD2xx7) only need to be on build date 230630 or newer (most of the new G2 models are already on newer firmware than this, but still need update firmware for G1/FWD models).

Well will keep an eye out for any further updates and please do post your own updates if you spot new firmware updates for specific models.
 
Finding same on USA firmware site. Whereas the note at top shows many, many cameras, the firmware site doesn’t.

And regarding firmwares being ‘eventually’ released………
Anyone remember the last warning HiKvision mentioned—2-3 years ago? Same thing then: “Eventually” will be released…. I finally thought today was the ‘eventually’

Did not find it 2-3 years ago, or today.

However, I have isolated the cameras in our firewall, so…..
 
Well there's been a little movement. Three G1's have been added to the firmware update site.
 
I have two ColorVu 2347G2-LU non-C cameras. A 2.8mm and a 4mm.

Its good to see there is an actual firmware update for this model (albeit just a newer build date).
However, I fail to understand why the 2.8mm and 4mm models should have different firmware?
 

Attachments

  • firmware query.jpg
    firmware query.jpg
    74.8 KB · Views: 91
Ianc said:
I have two ColorVu 2347G2-LU non-C cameras. A 2.8mm and a 4mm.

Its good to see there is an actual firmware update for this model (albeit just a newer build date).
However, I fail to understand why the 2.8mm and 4mm models should have different firmware?
Click to expand...
It's probably an oversight. Sometimes when new firmware comes out, the links to all applicable models don't get updated straight away. I recall some time ago a similar situation for the G5 models; new firmware was shown for the black models but not the white. Within a week all variants were correctly showing the new release. I'd happily update to the newer release.
 
I have another strange situation, I update my DS-2CV1021G0-IDW cameras with latest firmware available on the page: DS-2CV1021G0-IDW
But the version remains the same, only build date had changed.
Isn't that strange? Did they do anything inside this new firmware, despite changing the build date?
 

Attachments

  • 20231229_221737.jpg
    20231229_221737.jpg
    654.5 KB · Views: 75
Hi @apashi

This is normal, if an existing firmware is only being tweaked slightly (maybe just to fix an issue that appeared with the last update) then the firmware hasn't really changed enough for them to call it a completely different firmware version and so instead in it is just a new tweaked/fixed build of the same firmware.
 
Dan said:
Hi @apashi

This is normal, if an existing firmware is only being tweaked slightly (maybe just to fix an issue that appeared with the last update) then the firmware hasn't really changed enough for them to call it a completely different firmware version and so instead in it is just a new tweaked/fixed build of the same firmware.
Click to expand...

Any word on when Hik is going to publish the new firmware? Still nothing after 5 weeks...
 
Nothing further yet AFAIK.
I have to agree it's not great that they've made an alert/announcement and then release updates with no particular haste nor clarity :(
 
You must log in or register to reply here.

Similar threads

Phil
  • Sticky
Firmware Global Security Notification to disclose a vulnerability (CVE-2023-28811) in Hikvision NVRs/DVRs
Replies
2
Views
2K
Phil
Phil
JB1970
Firmware New Firmware - Multiple NVR Platforms
Replies
0
Views
2K
JB1970
JB1970
Z
Hikvision G5 DS-2CD2146G2-ISU [boot failed bootInfo = 26] error
Replies
3
Views
4K
Dan
Dan
Keoni Granger
  • Locked
Firmware How do I find the latest firmware for my Hikvision NVR? - Updated 05/12/22
Replies
1
Views
71K
Dan
Dan
Keoni Granger
  • Locked
Firmware How do I find the latest firmware for my Hikvision camera? - Updated 05/12/22
Replies
3
Views
94K
Phil
Phil
Back
Top