HiSilicon is a global leading fabless semiconductor and IC design company that is dedicated to providing comprehensive connectivity and multimedia chipset solutions for global equipment vendors in fields such as video surveillance, set-top boxes, and smart homes.

The vulnerability response of video surveillance devices may involve different stakeholders such as vulnerability research organizations/individuals, chip suppliers, component suppliers, equipment vendors, and end users. It is necessary to clearly understand the complexity of the supply chain. Any part of the supply chain may introduce vulnerabilities, which increases the difficulty in vulnerability response. Coordinated vulnerability disclosure is the best practice in the industry in this scenario. As an important part of the supply chain of video surveillance devices, HiSilicon is willing to cooperate with stakeholders in the industry to cope with cyber security risks through coordinated vulnerability disclosure and protect the interests of end users.

HiSilicon noticed that some media outlets reproduced a researcher's report about security vulnerabilities in DVRs/NVRs built on the HiSilicon HI3520DV400 video surveillance chip on September 16, 2020: CVE-2020-24214, CVE-2020-24215, CVE-2020-24216, CVE-2020-24217, CVE-2020-24218, and CVE-2020-24219. Our findings based on immediate investigation are as follows:

The vulnerabilities are not introduced by the chips and SDKs provided by HiSilicon

HiSilicon provides customers (equipment vendors) with chips, operating system kernels (such as Linux kernel of a certain version), and SDK (mainly driver) development platforms, based on which they design and develop products. The following figure shows the logic of the HiSilicon chip in a device.

Figure 1-1 Logic of the HiSilicon chip in a device

In this figure, the components marked in blue are delivered by HiSilicon; the parts marked in green are open-source code, and HiSilicon provides it as reference code to equipment vendors; the applications marked in orange are delivered by equipment vendors.

We have analyzed the security vulnerabilities mentioned by the researcher as follows:

1. Full administrative access via backdoor password (CVE-2020-24215): The executable program box.v400_hdmi described in the report is an application delivered by equipment vendors (marked in orange in Figure 1-1), and is not included in the HiSilicon SDK.
2. Administrative root access via telnet (CVE-2020-24218): In the HiSilicon SDK, no network service is enabled by default, and no account or password is set. In addition, HiSilicon provides the Cyber Security Precautions for Secondary Development to equipment vendors along with the software package. This document advises customers to add permission management and security configuration functions in final mass production versions.
3. Arbitrary file read via path traversal (CVE-2020-24219): The function that provides external file operations services through web service belongs to an application delivered by equipment vendors (marked in orange in Figure 1-1), and is not included in the HiSilicon SDK.
4. Unauthenticated file upload, Arbitrary code execution by uploading malicious firmware, and Arbitrary code execution via command injection (CVE-2020-24217): The upgrade function is provided by equipment vendors based on application scenarios of products. It belongs to an application delivered by equipment vendors (marked in orange in Figure 1-1), and is not included in the HiSilicon SDK.
5. Denial of service via buffer overflow (CVE-2020-24214): The sprintf function used in the application code has a memory overflow vulnerability, causing box.v400_hdmi to deny services. The code belongs to an application delivered by equipment vendors (marked in orange in Figure 1-1), and is not included in the HiSilicon SDK.
6. Unauthorized video stream access via RTSP (CVE-2020-24216): The function that provides external video stream services through RTSP belongs to an application delivered by equipment vendors (marked in orange in Figure 1-1), and is not included in the HiSilicon SDK.

The preceding analysis shows that all vulnerabilities mentioned in the report exist in the applications of equipment vendors (marked in orange in Figure 1-1). These vulnerabilities are not introduced by the chips and SDKs provided by HiSilicon.

As an important part of the supply chain of video surveillance devices, HiSilicon is willing to collaborate with downstream equipment vendors and researchers through coordinated response to cyber security risks brought by the vulnerabilities mentioned in the report and protect the interests of end users.