Hello, welcome to the Friday, October 29th, 2021 edition of the Sandcentred Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Alcobar, Saudi Arabia.

Back in May of 2014, we came across a botnet that was built around weak logins in Hickvision cameras.

This was sort of a precursor of what later then became Marai and the like, and back then

mostly used for crypto coin mining.

Well, Hickvision is in the news again, and this time maybe we'll have a chance to prevent

a similar botnet from

being built by actually patching systems. The vulnerability is not just a weak password, but a

vulnerability that allows arbitrary code execution without any authentication. A researcher who is using the alias, a watchful IP, found

the vulnerability, reported it to HickVision, and Hickvision now did release updates. There are not a lot of

details available at this point, and I applaud Watchful IP for holding back a little bit here to give everybody time

to patch, but the gist of it is that with this vulnerability, it's possible to add an additional

entry to the Etsy password file of the camera. And doing so, an attacker would be able to add an additional

administrative user that's actually more powerful than the default administrative user.

There is a default administrative user configured for the camera and protected with whatever

password the user sets, but that user actually has only access

to a restricted shell. With this vulnerability and by adding a new line to Etsy password,

an attacker would be able to add a new root user with whatever shell they would like to use.

Once the hacker has done so, then of course it's just a matter of using SSH or the web interface

to connect to the camera and execute additional code.

So this is something that has to be patched quickly. Like I said, an updated firmware has

been released. Now, there is a large number of affected devices out there. What's sometimes a

...