Dahua Broken Access Control Vulnerability

By John Scanlan, Published Jan 25, 2022, 10:53am EST (Info+)

Just 4 months after Dahua admitted 2 critical vulnerabilities, Dahua is quietly admitting a new high (8.1) vulnerability. The researchers found ~277,000 of these vulnerable devices online.

IPVM Image

In this report, IPVM examines the vulnerability, first documented by Romain Koszyk of the French cybersecurity and privacy company Digitemis, including:

  • How the vulnerability works
  • Models Impacted
  • Dahua Cybersecurity History
  • Dahua USA No Disclosure
  • Dahua Cybersecurity Guidance
  • Feedback from Dahua
  • How to resolve this

How ** *****

***** ******* *** ******* ***** ******* for *** ****** ** ** *******, without **************, ***** **** ****** ** attacker ** ***** *** ***** ******** using *****'* ******** ************ ***** ******** process.

*********, *** ****** ************* ******* **** documented *** *************, *** ********** **-**** ******** ******** *********** *** vulnerability.

** ******* ****, *** ******** ****** sets * *** ***** ******* (**********.**********):

IPVM Image

**** *** ********'* ***** *** ** the ******'* ******* *****, *** ******** may ******** *** ****** ***** ** code ***/** *** **** ** ******** and **** ** ** ***** ** be ***** (************* ********* ** ****** ~5 *******, ********* ** *** **********).

******** ***** *********:

IPVM Image

******** ***** ******** **** ********:

IPVM Image

Most ****** ********

** ******** **** **** ************* ****** the ******** ** *****'* ********, ********* most *****, ***, *** ******* ****** models, *********, *** ****, ***** ** the **** ********** ****** ***** ******** ** *** security ******. ***** ** ** **** ** North ******** **** ******* *********, **** Dahua's **** **** ******* (*.*. ***-*****). There ** *** * *****-********* *********, and ***** ******** ***** ****** ****** their ****** *** ********.

IPVM Image

********* **** "**** **** ******* **** than *** *** ******* ******* ** the ********." ** ********, ****** ********* lists * ***** ** ***,***+ ***** devices ** *** ********.

Dahua *** ******

**** *** * ***-******* ******** ****** in *** *** ***** *** ********** firmware, *** *****'* **********:

IPVM Image

*** **** ******** * ** **** reset ******, ***** *****:

IPVM Image

** *** *** ********* *** ******* and ***** ***** *** ******* ***** it ********* *** *******.

Port ********** ***********

*****'* ************* **** ********* **** *** a ******* *** ************* *** *********** which ***** ********** ** **** ******* NVRs.

IPVM Image

**** ********** ******* *** **** **** this ************* *** ** *********.

Dahua: **** ************* ******

***** *************** *******:

**** ************* ** **** *** **** recent ******* ** * **** **** of ******** *************** **** ***** ********* which *** *** ** *** *** China **** ***** ***** ** ****-****** manufacturer *** ****** ****** ** *** *** **************.

Feedback **** *****

*****'* ******** ** **** ** *****:

*** ******** *** ********* ** *** customers’ ******* *** ******* *** *** highest ******** *** *****. *** ************* that **** ** ********* ** ** this **** *** ****** *** ** a ******** ***** **** ** ******** in *********, *** ******** ******* ******* are *** ** ****.

**** ***** ** ****** *** ********* we *****:

  • ** ***** ***** ** ******* * notice ** *** ** ****?***** *** *** ******* ** *** cybersecurity ****** **** *** ****.
  • **** ***** ** * ***** ****** announcement ** **** *********? *.*. ***** release ** ****** ***** *****. ** yes, ****** ******* ***** *** ** will ******* **** ** *** ********.
  • **** ********* *****'* ******* ***************, ********* two ******** *************** **** ****, ***** vulnerabilities ** ****, * ** ****, the ******** ** ****, ***. ** years **** ***** **** **** ***** was *********. **** ***** **** *** comment ** *** ***** ***** *************** continue *********?

Patched ******** *********

***** *** ******** ******* ******** *** devices ******** ** **** *************. *** affected *** ************* ******* ******** *** listed****, ** *****'* ******** ********. ******* ******** ** ******* **** vulnerability *** ** ***** *******'* ************ ***** **** ** *** **.

Comments (24)

***. ***** **** *** ******** ***** mechanisms. *** ** **** ****** ** using ***-**** *********? ** ****** **** there ** * ******** ** *** system. ** **** *** **** ** these.

*** ** ***** * ************'* *** easier **** ** ***** ** ****** the ******** *** *** *****'* **** the ********, *** **** ** ********* a ******** **** *** ******.

Agree: 2
Disagree
Informative
Unhelpful
Funny: 1

*** ** **** ****** ** ***** one-time *********? ** ****** **** ***** is * ******** ** *** ******

*** ******* * ** ************ ******* about ** *** ***** ***** **** the ******* ***** ******* ** *** device **. **** ******* **** **** of ************* ******* **** ****** *** Dahua ** / ***** ** **** how ***** ***** ** **** ** verify **** *** ******* ***** ******* is. ****** **** ******** ** *********** on ****?

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny

***** *** **** ****** ******* * "product **********" ****** **** *** **** to ** ******* ****** *** *** use *** ******. **** ** **** I ******* ** ********* **** ***** address *** ********* ******** ***** ******** questions. ** **** *** **** **** password, *** ***** * **** *** it ****** *** * ***** ****. If *** ***'* **** ****** ** the *****, **** *** *** ***** management ******** ** *** ******* ** generate * ******* *** ***** ** from *****, ** **** *** ** code.

**** **** ** *** ** **** data ***** *** (*** ********) ** possible, ** *** ********** ****** ****** them ** ******* ****, *******, *****, phone, ***....

Agree
Disagree
Informative: 1
Unhelpful
Funny

*** **** ************* **** *** ****** on *** ****** ******* ***********, ** the ********** ***** **** ** *** change *** ******* ***** **** ** already ****** ****** *** **** **** show ******** ***** ********* *** ********. This ******** ******* ***** ** ******** updating *** ***** / ******* *** time *** ******* ***** ******* ** changed, ***/**?

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

** *** ******** ** ** ******* never ********* **, ***** *** **** still ****? ** ** ******* ********* it *** **** ** *** ************ from *** ******** ** * **********, could **** ***** *** * ****?

*** ****, ** ****** **** **** have ************** **** *** *** *** a ***** **** ******. ***** * good ****.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

*** *** *** ********* ******** ***** upon **********, *** * ***** ******* of ***** ******* *********** ***-** * password ***** ****** **** ******** ********* (which *** *********) *** ** ***** address( **** ** *** *********) *****. We've ********* ******** ******* ***** ** input * ***** ****** *** *** security ********* ***** ***** ** ****** info *** ** *** ******* ** the ******** ********* **********, *** **** just ***** *** ***** ******* *****, and **** *** ** ********. ** haven't *** ** *** *** ******** reset, ******* ** ******** *******, ** just ******* ******* *** **-** *** set-up.

Agree
Disagree
Informative: 1
Unhelpful
Funny

* *** ** **** ** ****** off *** *** ** ** ****, but * ***** ** ** ********.

*** ** **** ******** ** ********* string **** ******** *** ********** ***** address, ****** ******, *** ***. *** that *********** ** **** ** ***** when *** **** *** ** **** using *** ****** *** ** **** you ***** *** ****** ** **** (as *** *********** *** ** **** exploit). ** ******'* **** ** **** the ****** ***** **** *** ******** any ** **** ** *******.

**** *** ******** ** ******* ** click ***** ******** *** *** **** message ********** **** ****'** ********** **:

IPVM Image

****, *** ***** ******** ** **** sent ** *** ********** *******, *** the ******** ******. ** ** * send ***** **** ****** *** **** NVR, *** **** ***** ******* ** registered, ** **** **** *** ***** code ** ***, *** **. ** Digitemis' ********, *** ****** *** *** reset ***** *** *** ****, ** this ***'* *****.

*** ***** ****** **** ** *****'* phone **** ** ******** ** ******* resetting * ****** ******* ** ********* to *** ********, *********** ** *******, then ********* *** ******** *** *****.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

*** ** **** ******** ** ********* string **** ******** *** ********** ***** address, ****** ******, *** ***. *** that *********** ** **** ** ***** when *** **** *** ** **** using *** ****** *** ** **** you ***** *** ****** ** **** (as *** *********** *** ** **** exploit). ** ******'* **** ** **** the ****** ***** **** *** ******** any ** **** ** *******.

**** ******... ****** ***. ** **** really *** ** *****?

***** **** *** ********** *** **** from? ** ** ** *** ********? Is ** *** **** ** *** devices? ** *** **** *** ********** key **** *** ******, *** *** effectively **** ****** ***** ******** *** any ****** **** *** **** *** MAC ******* *** ****** ****** **?

Agree
Disagree
Informative
Unhelpful
Funny

***** **** *** ********** *** **** from? ** ** ** *** ********? Is ** *** **** ** *** devices? ** *** **** *** ********** key **** *** ******, *** *** effectively **** ****** ***** ******** *** any ****** **** *** **** *** MAC ******* *** ****** ****** **?

* ***'* **** ***** ******* ** these ********* **** ***% *********, *** I ***** ***** * ***** **** if ******* *** ******* *****'* ******** reset ********* ** ***** ** *** over *** ******** ** ***.

*** *********** ******** ** ** * minimum, *** ********** ***** ***** *******, the ***, *** *** ****** ******, but ***** ***** ** ***** *********** encoded *****, ****. **** ***** ******** resets **** ** *** **** *** date ** ****** *** ********** ***, also.

Agree
Disagree
Informative: 1
Unhelpful
Funny

***** **** *** ********** *** **** from?

*** ****** ***

** ** ** *** ********?

***

** ** *** **** ** *** devices?

**

****: *** *** **

*** *** ******* *** ***** **** Firmware, *** ** ******* *** ********* devices.

* ***** ***** ** * ****** for *** *** ********* ****** ****** with "**************", ***** **** ** **** points ** *** ******* ***.

Agree
Disagree
Informative: 4
Unhelpful
Funny

** ** *** ****** *** (******** to *** ******* ******) ******** * message ** *** ****** *** ****'* what's **** ** *****? *** ** earth **** **** ********* ************? *'* still *** ******* **. ** *** serial ****** ******? ** *** ****** key ** ** *** ********, ****'* not ****** (****** *** ***'* ******** to ********* ****** ********, ******). ***** if *'* ****** **** *********.

Agree
Disagree
Informative
Unhelpful
Funny

******** ********* **** ****** *** *** only ** ********* **** ******* ***. Private *** *** *** ** *** FW, **** *** **** *****.

*** *** ************, */* ***** **** specific *******, **'* **** **** ***** wrote *****.

IPVM Image

*******, *** ***** **** *** *** back **** *** ****** ****** ** used ** ******* ******, ** *** details *** **** ******** *** **** device ****. **** *** *******, */*.

Agree
Disagree
Informative: 1
Unhelpful
Funny

** ** ******** ** ********* *** RSA *** **** **** ***, ** you *** ******* *** *******?

Agree
Disagree
Informative: 1
Unhelpful
Funny

**, **'* */* **********. ***, ** you ***** **** *** **********/********** ** FW *** ******* ******* *** **** flash **** ****** ** ** *** device.

*******, * ****** ***'* *** **** point ****, *** **** **** ** see **** ****** *** *** ********* content ** ****?

Agree
Disagree
Informative
Unhelpful
Funny

****, *'* ******* **** **** ***** is *********.

*** ******** ** ** ******** ******* has ******* ******. *** ******** **, can *** ******** ***** ** ****** to *** **** *** ****** ******?

*** **** ********* **** ** * shared ****** ******* *** ****** *** Dahua. * **** **** ** *** broader ******* - ********* **** ***** and *** ****** **** **** *** attacker **** ***. ** ***** ** no ******, **'* **** * ****** of ********* *** ***** ******* *** the ******** **** (** ** *****, I ***'* **** ****** *******). **** create * ***** ******* **** * burner ***** *******, ******* ** **** the ****** ***, **** ** ** Dahua *** ****'** *** *** **.

******* ** *** ******** *** ** part ** *** ******. ****** *** cryptography *****'* **** **** - *** that ***** ** ****** **** *** read *** *******. ******* ************ ***** is ***** - *** **** *** device ** *** ******.

* *** *** *** *** ******* if *'* ** *** *******. **** can't ** *** ******.

****** ************* ******. * ***'* **** **** information *** ******* ******, *** * lot ** ******* **** **** ******. In ** *******, ****** ****** ** more ** ********* ** ********, *** proof. **** *** ********, *** *** the ********.

*** **** *** * *** ***** of *** ***** ** ** **** is ** **** * ********* **** in *** ******. **** **** ********** *** **** ******** *****. *** code ** *** ** *** ****** in *** ******* *** ****** ***** with *** ****** ****** ** * giant ******** *********.

****** *****'* * **** ** ***** authenticity ** *** ****** ****** ** used (*** **** *** **** **** unauthenticated ***), **** ** ****** ***** like *****'* * *** *** ** attacker ** *** **.

Agree
Disagree
Informative: 1
Unhelpful
Funny

*** **** *** * *** ***** of *** ***** ** ** **** is ** **** * ********* **** in *** ******.

**'* **** ******* **** *** *****, the *** *** */* *** **** one ***** ***** ** *** ****, there ** **** ***** ****** ****'* more ******* ** **** ******* **** cannot ** ***** ******* ** *** device ******. ** **** *** **** have * ********* ** *** (** something) *** *** ******** ** *** code.

* ***** *** *** *** *** "Cybersecurity ********" **** * *** ** another ****** **** ** ****, *** is *** ****** ** **** ** reveal ********** ******** ******* **** * know ** **** *******.

Agree
Disagree
Informative: 2
Unhelpful
Funny

**, **, *'* *** **** ***. I'm *** ***** ***. **** * sysadmin *** * ***** **********. * don't **** ****** ** * ***** device, ********* * ***** **** **** trying ** ****** ***** ********* ******. The ******** ***** ******* ******* ****** sketchy ** **, *** * ***** it's **** ****. ** ******** ******* was ***** **** ******* * ******* I ***** ** ** ** *********, but **** ***** ***** ** ********* I ****'* ****** (***** *** ******* out). ****** *** ****** *** **** to *******.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

* ***'* **** ****** ** * Dahua ******

*** *** ** ****** **** ******** / ********* ** *************, ** *** facilitate ****** ** * **** ****** of ******* **** ******* *************. **** email ** - ****@****.***

Agree
Disagree
Informative: 1
Unhelpful
Funny

** *****, ** ******** ** ***** (and ***** *** ****** *** **** another **** ******)

**** * **** ***.

Agree
Disagree
Informative
Unhelpful
Funny

*** ******** ***** ********* ***** *******.

* *** ** ** ******* **** only *** *** *** * ****** connected ** * ****** ******* ** uplink ** ***** *****:

IPVM Image

* ******* ********* *** ***, ********** the **, *** ******* * ********. I ******* ** ***** ** *** contact *** *** ******, ***** **** a ********* ***** ****** * ***** it. * ********* *** ****** ******** procedure **** ******* *** ** **** and **** *** ******** ****** ** Dahua *** *****. * ******** ** email **** * **** **** ** about * ****** *** *** **** to *** * *** ******** *** then *** **.

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny

**** ****! **** ** **** *** QR ****, ** ** **** ********* what *** ******* ******* ***** ** and **** ** ********* ** **** is **** **** ** *****?

Agree
Disagree
Informative
Unhelpful
Funny

*******, *** ***** ** **** ** the *** ********* *******.

****** ****** ******** ***** ***, **** issue **** **** **** *** ** that ** **/*** ******** ** ****** the ***** ******* */* **************.

* *** ******* *** *************, *** some ***** ********* *** ** ****** w/o *** ******** ** ***** **, have *** ***** ******* */ *** FW *** *** ******* *******.

**** **** ******* ** *** **********.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

**** **** ******* ** *** **********.

***, ** **** ****,**** ********* ******** **** ******* ********** **** ***** it *** **** *** ******* *** timing ** ***** *******:

***** ********** **** *** ***** ***** team, ** ****** *** **** ******************** **** **** ********** **** *************.

Agree
Disagree
Informative: 2
Unhelpful
Funny

***********, ****** ** **** ****** ** keep ** "** **" ** ****** didn't ****/********.

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports