[Japanese]
|
JVNDB-2024-000116
|
Hikvision network camera security enhancement to prevent cleartext transmission of Dynamic DNS credentials
|
Multiple network cameras provided by Hangzhou Hikvision Digital Technology Co., Ltd. support two Dynamic DNS services, DynDNS and NO-IP.The user can select which to use on the GUI configuration page.
Both the services provide their APIs accessible via HTTP and HTTPS, but old firmware versions of Hikvision devices only support HTTP.This means the credential information is transmitted in unencrypted form.
As a security enhancement, the new firmware versions are provided, which change the behavior to communicate with the APIs via HTTPS only.
|
|
|
Hangzhou Hikvision Digital Technology Co., Ltd.
- DS-2CD1xxxG0 versions prior to V5.7.23 build241008
- DS-2CD1xxxG2 versions prior to V5.8.4 build240613
- DS-2CD29xxG0 versions prior to V5.7.21 build240814
- DS-2CD2xx1G0 versions prior to V5.7.23 build241008
- DS-2CD2xxxFWD versions prior to V5.6.821 build240409
- DS-2CD2xxxG2 versions prior to V5.7.18 build240826
- DS-2CD3xx1G0 versions prior to V5.7.23 build241008
- DS-2CD3xx1G2 versions prior to V5.8.4 build240613
- DS-2CD3xxxG2 versions prior to V5.7.18 build240826
- HWI-xxxxHA versions prior to V5.8.4 build240613
- IPC-xxxxH versions prior to V5.7.23 build241008
- IPC-xxxxHA versions prior to V5.8.4 build240613
|
|
When an affected device is configured to use either Dynamic DNS service, the credential information of the service may be obtained or the communication between the device and the service may be altered by a man-in-the-middle attack.
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
|
Hangzhou Hikvision Digital Technology Co., Ltd.
|
|
|
- JVN : JVN#11779839
|
- [2024/10/30]
Web page was published
|