This article describes how to use FortiGate’s IoT Detection Service to identify the Hikvision IP Camera device and app that is vulnerable to the recent command injection vulnerability.
The vulnerable device and app can be identified from the Security Fabric > Asset Identity Center when the FortiGate interface connected to the IoT device has device detection enabled.
NAC policies can be used to mitigate the threat.
This Hikvision command injection vulnerability allows an attacker to exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
Table of Contents
Scope
FortiGate’s IoT Detection Service and integration into Asset Identity Center are supported on FortiOS 7.2.1 and above. After identifying the vulnerable device and app, mitigate the threat using NAC policies to quarantine the device in a quarantine VLAN.
To use NAC policies, it is assumed that the IoT device is located in the LAN and accessed through FortiSwitch or a Wireless SSID.
Solution
The IoT Detection Service is a subscription service applicable to FortiOS 7.2.0 and above. The presence of this service allows device detection to identify the latest IoT devices in the IoT detection definitions.
The following instructions outline the steps needed to detect and identify the Hikvision IP Camera device and app on the network.
To use device detection to identify the vulnerable IoT device
Step 1: On the FortiGate, verify device detection is enabled on the suspected network interface, SSID or VLAN in which the IoT device may be located. Usually, device detection is enabled on interfaces with the LAN or DMZ roles only.
Step 2: Go to Network > Interfaces.
Step 3: Double-click the network interface, SSID, and VLAN where IoT devices may be located.
Step 4: Under Network, ensure the Device Detection option is enabled.
Step 5: For each interface, there should be a corresponding firewall policy that allows the traffic, and has the application control profile enabled.
Step 6: Go to Security Fabric > Asset Identity Center. Detected devices under the network interfaces will appear on this page. Detection requires that traffic from the device has been detected on the interface since Device Detection is enabled. Therefore, it may require time for the vulnerable device to appear.
Step 7: Scroll through the Asset Identity Center page to identify the presence of the Hikvision IP Camera device. Alternatively, using the Search option, search for the ‘Hikvision’ device. Adjust the time frame if the device may have been detected earlier.
To use NAC Policies to quarantine the vulnerable IoT device
Step 1: Go to WiFi and Switch Controller > NAC Policies.
Step 2: Select Create New to create a new NAC Policy.
Step 3: Enter the Name of the policy, Hikvision-IoT-Quarantine.
Step 4: Under Device Patterns:
- Category: Device
- Hardware vendor: Hikvision
- Type: IP Camera
- Operating System (Optional): Hikvision IP Camera Firmware
Step 5: Under Switch Controller Action, enable Assign VLAN.
Step 6: Select the drop-down and select Create.
Step 7: For the new Interface, enter the following:
- Name: IoT-Quar-VLAN
- VLAN ID: any unused VLAN ID
- IP/Network: subnet used for quarantined IoT devices
Step 8: Select OK to finish.
Step 9: Select the new IoT-Quar-VLAN.
Step 10: Under Wireless Controller Action, enable Assign VLAN.
Step 11: Select the drop-down and select Create.
Step 12: For the new Interface, enter the following:
- Name: IoT-Quar-SSID
- VLAN ID: any unused VLAN ID
- Type: VLAN
- Interface: the SSID used for IoT
- VLAN ID: any unused VLAN ID
- IP/Network: subnet used for quarantined IoT devices
Step 13: Select OK to finish.
Step 14: Select the new IoT-Quar-SSID.
Step 15: Select OK to finish the NAC Policy setup.
Step 16: Go to WiFi and Switch Controller > FortiSwitch Ports.
Step 17: Right-click on the ports, to convert to the NAC mode, then select Mode > NAC.
Step 18: By default, there are no firewall policies for the quarantine VLANs, so the quarantined devices have no network access.
Step 19: Go to WiFi and Switch Controller > NAC Policies.
Step 20: On the top, right-click View Matched Devices. Matched devices that are assigned the quarantine VLAN will appear here.
Reference
- FortiGuard Outbreak Alert: Hikvision IP Cameras Command Injection Vulnerability