01304 827609 info@use-ip.co.uk Find us

Please Read: Web Browser Plug-in Vulnerabilities Patch (CVE-2023-28812, CVE-2023-28813)

Phil

Phil

Administrator
Staff member
Trusted Member
Messages
5,019
Points
113
Hikvision have declared three new vulnerabilities to their partners by email this morning.
This post covers two vulnerabilities, a subsequent post will cover the other newly declared vulnerability which only affects certain devices.

Given that it is Friday morning, and my quick first impression is that this vulnerability in the web plugin has a high score and is very widely used (by everybody who uses a browser to access their Hikvision devices), I've decided to share quickly verbatim below.

NB - If YOU use a browser to view your Hikvision devices then YOU need to update this plugin - do it now please.

We may be able to dig-in and comment further in due course ...

Web Browser Plug-in Vulnerabilities Patch

Hikvision disclosed two vulnerabilities (CVE-2023-28812, CVE-2023-28813) in a browser plug-in named LocalServiceComponents. The company has released an update (Version 1.0.0.81) to this plug-in to fix the vulnerabilities.



Hikvision has rated these vulnerabilities as 9.1 and 8.1 using the CVSS v3.1 calculator. While Hikvision is not aware of these vulnerabilities being exploited in the field, we recognize that some of our users may have installed this plug-in on their computers. We encourage our partners to work with their customers to install the update and ensure proper cyber hygiene.

With these vulnerabilities, we want to provide you with the details and timeline to reassure you of Hikvision’s strong commitment to cybersecurity following the standard Coordinated Disclosure Process. In October 2023, Hikvision Security Response Center (HSRC) was contacted by an independent security researcher, who reported two potential vulnerabilities in a Hikvision web browser plug-in. Once the HSRC confirmed the existence of the vulnerabilities, it worked with the researcher to patch and verify the successful mitigation of the reported vulnerabilities.
Click to expand...
 
Last edited:
BTW - longstanding advice to implement / use a new web browser plugin is:
  1. Download the new plugin - latest today as per the above notification is here
  2. Note where it has been saved on your computer e.g. typically in your Downloads folder
  3. Shutdown / restart your PC
  4. After your PC has restarted and BEFORE starting your browser or any other program
  5. Navigate to the downloaded file
  6. Run and install the new plugin

This process should ensure that the new version is now used.


NB The downloaded file is a zip file and needs to be extracted before you can run & install it:

Hikvision LocalServiceComponents plugin file screenshot 24-11-23.png
 
Last edited:
You must log in or register to reply here.

Similar threads

Bob710
LocalServiceComponents IS required to use PC's microphone for 2-way audio
Replies
0
Views
594
Bob710
Bob710
Phil
  • Locked
  • Sticky
Firmware New V5.2.006 Firmware for M and NXI series NVRs to fix a newly declared vulnerability [CVE-2024-29949] - 2nd April 2024
Replies
11
Views
1K
Chriss5471
C
Phil
  • Sticky
Please Read: Hik-Connect Module Vulnerability Patch (CVE-2023-48121)
Replies
19
Views
4K
Phil
Phil
Phil
  • Sticky
Firmware Global Security Notification to disclose a vulnerability (CVE-2023-28811) in Hikvision NVRs/DVRs
Replies
2
Views
2K
Phil
Phil
JB1970
Monday 26-06-23 - Tonights BBC Panorama Program
Replies
3
Views
2K
Phil
Phil
Back
Top