CVE-2018-6299 – CVE-2018-6299 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2018-6299?

CVE-2018-6299 has a CVSS score of 9.8 (CRITICAL). CVE-2018-6299 is an authentication bypass vulnerability in Hanwha Techwin Smartcams that allows attackers to access camera feeds and administrative functions without valid credentials. This affects multiple Hanwha Techwin smart camera models running vulnerable firmware versions. Attackers can exploit this remotely over the network.

📋 TL;DR

CVE-2018-6299 is an authentication bypass vulnerability in Hanwha Techwin Smartcams that allows attackers to access camera feeds and administrative functions without valid credentials. This affects multiple Hanwha Techwin smart camera models running vulnerable firmware versions. Attackers can exploit this remotely over the network.

💻 Affected Systems

Products:

Hanwha Techwin Smartcams (various models including SNO-7084R, SNP-6322H, others)

Versions: Firmware versions prior to 1.13.1

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects cameras with web interface enabled. Some models may have different firmware versioning.

📦 What is this software?

Snh V6410pn Firmware by Hanwha Security

View all CVEs affecting Snh V6410pn Firmware →

Snh V6410pnw Firmware by Hanwha Security

View all CVEs affecting Snh V6410pnw Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of camera systems allowing unauthorized video surveillance, camera manipulation, credential theft, and potential lateral movement to connected networks.

🟠

Likely Case

Unauthorized access to live camera feeds, recording manipulation, and camera configuration changes by remote attackers.

🟢

If Mitigated

Limited impact if cameras are isolated on separate VLANs with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Cameras exposed to the internet can be directly exploited without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this if cameras are accessible on the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit involves sending specially crafted HTTP requests to bypass authentication checks. Multiple public exploit scripts exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 1.13.1 and later

Vendor Advisory: https://www.hanwhasecurity.com/support/notice/view.do?idx=100

Restart Required: Yes

Instructions:

1. Download latest firmware from Hanwha Techwin support portal. 2. Backup camera configuration. 3. Upload firmware via web interface. 4. Reboot camera. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLAN with strict firewall rules

Disable Web Interface

all

Disable HTTP/HTTPS access if not required for operation

🧯 If You Can't Patch

Place cameras behind VPN with strict access controls
Implement network-based intrusion detection to monitor for exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: Settings > System > Information. Versions below 1.13.1 are vulnerable.

Check Version:

curl -k https://[CAMERA_IP]/stw-cgi/system.cgi?msubmenu=info&action=view

Verify Fix Applied:

Verify firmware version is 1.13.1 or higher and test authentication by attempting to access admin pages without credentials.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful access
Access to admin pages from unusual IP addresses

Network Indicators:

HTTP requests to /stw-cgi/ paths without authentication headers
Unusual traffic patterns to camera web interface

SIEM Query:

source="camera_logs" AND (event="authentication_bypass" OR (status=200 AND auth="none" AND uri="/stw-cgi/*"))

📊 Metadata

CVE ID: CVE-2018-6299

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: March 13, 2018

Last Updated: November 21, 2024

🔗 References

https://securelist.com/somebodys-watching-when-cameras-are-more-than-just-smart/84309/ Technical Description,Third Party Advisory
https://securelist.com/somebodys-watching-when-cameras-are-more-than-just-smart/84309/ Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-6299, you might also want to check these: