FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
keithli_FTNT
Staff
Staff
Article Id 222299
Description

This article describes how to use FortiGate’s IoT Detection Service to identify the Hikvision IP Camera device & app that is vulnerable to the recent command injection vulnerability.

The vulnerable device and app can be identified from the Security Fabric - > Asset Identity Center when the FortiGate interface connected to the IoT device has device detection enabled.

NAC policies can be used to mitigate the threat.

 

This Hikvision command injection vulnerability allows an attacker to exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

Scope

FortiGate’s IoT Detection Service and integration into Asset Identity Center is supported on FortiOS 7.2.1 and above. After identifying the vulnerable device and app, mitigate the threat using NAC policies to quarantine the device in a quarantine VLAN.

 

To use NAC policies, it is assumed that the IoT device is located in the LAN and accessed through FortiSwitch or a Wireless SSID.

 

For more information about this attack, see the following FortiGuard Outbreak Alert:

https://fortiguard.fortinet.com/outbreak-alert/hikvision-command-injection

Solution

The IoT Detection Service is a subscription service applicable to FortiOS 7.2.0 and above. The presence of this service allows device detection to identify the latest IoT devices in the IoT detection definitions.

 

The following instructions outline steps needed to detect and identify the Hikvision IP Camera device and app on the network. 

 

To use device detection to identify the vulnerable IoT device:

 

1) On the FortiGate, verify device detection is enabled on the suspected network interface, SSID or VLAN in which IoT device may be located. Usually device detection is enabled on interfaces with the LAN or DMZ roles only.

 

2) Go to Network - > Interfaces. Double-click the network interface, SSID and VLAN where IoT devices may be located. Under Network, ensure the Device Detection option is enabled.

 

3) For each interface, there should be a corresponding firewall policy which allows the traffic, and has the application control profile enabled.

 

4) Go to Security Fabric - > Asset Identity Center. Detected devices under the network interfaces will appear on this page. Detection requires that traffic from the device have been detected on the interface since Device Detection is enabled. Therefore, it may require time for the vulnerable device to appear.

 

5) Scroll through the Asset Identity Center page to identify the presence of the Hikvision IP Camera device. Alternatively, using the Search option, search for the 'Hikvision' device. Adjust the time frame if the device may have been detected earlier.

 

To use NAC Policies to quarantine the vulnerable IoT device:

 

1) Go to WiFi and Switch Controller - > NAC Policies. Select Create New to create a new NAC Policy.

 

2) Enter the Name of the policy, Hikvision-IoT-Quarantine.

 

3) Under Device Patterns:

  • Category: Device
  • Hardware vendor: Hikvision
  • Type:IP Camera
  • Operating System (Optional): Hikvision IP Camera Firmware

4) Under Switch Controller Action, enable Assign VLAN. Select on the drop-down and select Create.

 

  a) For the new Interface, enter the following:

  • Name: IoT-Quar-VLAN
  • VLAN ID: any unused VLAN ID
  • IP/Network: subnet used for quarantined IoT devices
  • Select OK to finish.

  b) Select the new IoT-Quar-VLAN

 

5) Under Wireless Controller Action, enable Assign VLAN. Select on the drop-down and select Create.

 

  a) For the new Interface, enter the following:

  • Name: IoT-Quar-SSID
  • VLAN ID: any unused VLAN ID
  • Type: VLAN
  • Interface: the SSID used for IoT
  • VLAN ID: any unused VLAN ID
  • IP/Network: subnet used for quarantined IoT devices
  • Select OK to finish.

  b) Select the new IoT-Quar-SSID

 

6) Select OK to finish the NAC Policy setup.

 

Hikvision-NAC-Policy2.png

 

7) Go to WiFi and Switch Controller - > FortiSwitch Ports. Right click on the ports, to convert to the NAC mode, then select Mode - > NAC 

 

8) By default, there are no firewall policies for the quarantine VLANs, so the quarantined devices have no network access.

 

9) Go to WiFi and Switch Controller - > NAC Policies. On the top, right click View Matched Devices. Matched devices that are assigned the quarantine VLAN will appear here.