Dahua RTSP Security Flaw

We have a client that we have installed many Dahua IP cams of various models. The issue we are having is that anyone with access to the camera VLAN can use the standard RTSP string (rtsp://IPADDRESS/axis-cgi/mjpg/video.cgi) to view the camera stream without credentials. Worse yet, doing so changes the Encoding setting on the camera to MJPEG and max frame rate and bit rates. This essentially will greatly inflate the network bandwidth and eventually lock up the camera.

Also, DW Spectrum (VMS in use at this site) will no longer show the feed, as it is expecting a h.264 stream, not MJPEG.

My first thought was to restrict access to the camera using the IP Filter setting in the Dahua camera itself. One would think that a whitelist of allowed IPs/MACs would be a good place to start. However, and here is the flaw, the IP Filter does NOT block RTSP access. It only filters the ability to log in to the cameras webpage.

The logical answer here is to simply lock down the VLAN, which we don't have control of, but, the IT dept is resisting this. They say that the time spent doing so is not something they can do. Currently any PC on the network has access to the camera VLAN. They say that is secure enough for them. No one inside their org will tamper with anything.

The issue is, it just happened yesterday by accident. Someone opened an old webpage that they used to use to view now retired Axis cameras that used the same IP address of the newer Dahua cameras. This webpage had a similar RTSP string associated with the current Dahua IP addresses. When they simply viewed this page, it knocked out 7 cameras.

Anyone have a contact at Dahua who could possibly address this issue?

Wow. There are 3 things that I see here that would need to get fixed ASAP:

  • Using a CGI command designed for viewing should not change settings in the camera. Changing settings should be restricted to authenticated users and via setup commands, not viewing commands.
  • IP filtering should effect all access to the camera, regardless of the type of access/stream.
  • Authentication should effect not just webpage login, but also RTSP, ONVIF, etc.

My guess is that they have old Axis MJPEG API for compatibility, but won't want to touch it because it is "old". Hopefully they have a command to disable this type of access... Good luck.

Jon, I can confirm the changing of the stream to mjpeg just by pulling the RTSP stream. As I recall other settings may have been changed as well. There's a post about it somewhere, but I don't believe there was a resolution.

I figured Dahua had fixed it by now, are you saying this happens on the latest firmware?

Yes, it is still an issue for all of our Dahua models, all of which are up to date with the latest available firmware. I can get models/versions if needed or if it helps resolve the issue.

Ok, today we finally received assistance getting the Dahua 4MP cams upgraded and can now verify the firmware version did indeed fix the RTSP issue. I was asked not to disclose the way we were able to push the firmware, but I would gladly tell others via PM if needed.

OK, today I received a new firmware file for the 3MP cameras and it also resolved the RTSP flaw that we had issues with.

Thanks to Robert @ SavvyTech!


But serious note, if someone needs this file or something similar for an EOL model, please go through me first so I can be sure you get the right firmware.

Last thing I need is to have people bricking their cameras without supervision.

Real thanks goes to my rep @ Dahua!

The power of butt kissing wins again!