Chinese video surveillance giant Hikvision addressed an access control vulnerability, tracked as CVE-2023-28808, affecting its Hybrid SAN and cluster storage products.
An attacker with network access to the device can exploit the issue to obtain admin permission. The attacker can exploit the vulnerability by sending crafted messages to vulnerable devices.
“Some Hikvision Hybrid SAN/Cluster Storage products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices.” reads the advisory published by the company.
The vulnerability was reported in December 2022 by Souvik Kandar, Arko Dhar of the Redinent Innovations team in India.
On April 10, Hikvision released version 2.3.8-8 for Hybrid SAN and version 1.1.4 for cluster storage devices to address the vulnerability.
According to SecurityWeek, the vendor is not aware of attacks in the wild exploiting the vulnerability and is urging customers to patch their installations.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Hikvision)