Hikvision Security Notification: Security Vulnerability in Some Hybrid SAN/Cluster Storage Products
Having access control vulnerability which can be used to obtain admin permission
This is a Press Release edited by StorageNewsletter.com on April 20, 2023 at 2:01 pmHikvision Digital Technology Co., Ltd. had published a security advisory concerning vulnerability in its Hybrid SAN/Cluster storage products.
SN No. HSRC-202304-01
Edit: Hikvision Security Response Center (HSRC)
Initial release date: 2023-04-10
Summary
Some Hikvision Hybrid SAN/Cluster storage products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices.
Hikvision has released a version to fix the vulnerability.
CVE ID : CVE-2023-28808
Scoring : CVSS v3 is adopted in this vulnerability scoring (http://www.first.org/cvss/specification-document)
CVE-2023-28808
Base score: 9.1(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Temporal score: 8.2 (E:P/RL:O/RC:C).
Affected versions and fixes:
-
Product name
Affected versions
Download patch
User manual
DS-A71024/48/72R
Versions below V2.3.8-8 (including V2.3.8-8)
User Guide for Fixing Security Vulnerability of Hybrid SAN_230410
DS-A80624S
DS-A81016S
DS-A72024/72R
DS-A80316S
DS-A82024D
DS-A71024/48R-CVS
Versions below V1.1.4 (including V1.1.4)
User Guide for Fixing Security Vulnerability of Cluster_230410
Precondition
The attacker has network access to the device.
Attack step
Send a specially crafted malicious message.
Obtaining fixed versions
Users can download patches/updates on the Hikvision official website.
Source of vulnerability information
This vulnerability is reported to HSRC by Souvik Kandar, Arko Dhar of the Redinent Innovations team in India, and we also want to acknowledge the cooperation of the National Computer Emergency Response Team of India (CERT-In) who coordinated with us to handle this vulnerability.
Subscribe to our free daily newsletter
