SEVERITY: CRITICAL

Redinent Researchers discovered a Authentication Bypass Vulnerability in Hikvision’s SANS Cluster Storage products.

Technical Details: The vulnerability exists due to presence of insecure javascript calls in the cluster’s web management interface. An attacker can exploit the vulnerability by sending crafted messages to the affected devices and reset the administrative password of the device.

Post exploitation, the attacker gains full administrative access to all functions of the cluster management interface.

Affected Versions
Product Name Affected Versions
SAN_230410 , Versions below V2.3.8-8 (including V2.3.8-8)
DS-A80624S , Versions below V2.3.8-8 (including V2.3.8-8)
DS-A81016S , Versions below V2.3.8-8 (including V2.3.8-8)
DS-A72024/72R, Versions below V2.3.8-8 (including V2.3.8-8)
DS-A80316S , Versions below V2.3.8-8 (including V2.3.8-8)
DS-A82024D, Versions below V2.3.8-8 (including V2.3.8-8)
DS-A71024/48R-CVS, Versions below V1.1.4 (including V1.1.4)

Hikvision has released a version to fix the vulnerability.

CVE ID: CVE-2023-28808
Hikvision Advisory:  HSRC-202304-01

The coordinated disclosure timeline:

1. December 20  2022 – Vulnerability discovered by Redinent researchers
2. December 27 2022 – Vulnerability verified by Redinent
3. December 29 2022 – Vulnerability report to CERT India.
4. January 10 2023 – CERT acknowledged the vulnerability and informed the OEM
5. April 11 2023 – OEM releases global advisory

References:

https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-cluster-stor/