The following advisory describes 2 vulnerabilities found in HiSilicon application-specific integrated circuit (ASIC) chip set firmware.
HiSilicon provides ASICs and solutions for communication network and digital media. These ASICs are widely used in over 100 countries and regions around the world. In the digital media field, HiSilicon has already released the SoC and solution for network surveillance, videophone, DVB and IPTV.
The vulnerabilities found in HiSilicon ASIC firmware are:
- Buffer overflow in built-in webserver
- Directory path traversal built-in webserver
The list of vendors working with HiSilicon is unknown. We manage to identify 55 different vendors, all of them are still vulnerable.
Here is example of 10 vendors using the HiSilicon application-specific integrated circuit (ASIC) chip set in their products (the full list can be found in the end of this report):
An independent security researcher Istvan Toth has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
We tried to communicate with the vendor through emails and twitter, over the course of several months, we were unable to get any response.