Dahua Hard-Coded Credentials Vulnerability

By IPVM Team, Published Nov 20, 2017, 10:30am EST

A newly discovered Dahua backdoor is described by the researcher discovering it as:

not the result of an accidental logic error or poor programming practice, but rather an intentional backdoor placed into the product by the vendor

This comes after other recent cyber security issues involving Dahua, including:

A group of ex-NSA researchers found these hard-coded credentials in Dahua products. The finding was picked up by The Washington Post and Fortune, but those publications failed to analyze the true extent of Dahua's most recent vulnerability.

IPVM spoke with Terry Dunlap [link no longer available], the CEO of ReFirm, the research company that discovered the vulnerability, as well as representatives from Dahua, to analyze its potential for impact. Will it be the next Mirai? Details are in this note.

*******

* ****-***** ******** *** password *** ** **** to ****** ***** ******** to ******** *******, ********* standard ************** ******* **** control ******** ********. **** allows ** ******** ** embed ***** *** **** (e.g., *****-***** ****** ****) into ********** ******** *** load ** ******** **** Dahua *******. *** ************* is **** **** ** exploit, ****** ** ****** on * ******** **** being ******** ********** (**** 3800), ***** *** **** limit ******* ******.

***** *** ******** ******* firmware, ****** *** *** is ******** ** *** research *******.

Vulnerability ********

****-***** *********** (********/******** ** dahua/dahua) **** ***** ** a ******* ****** "********", which ******* ** **** 3800 *** ** **** to ******** ****** ******** updates. *** ************* *** found ** ***** ******** version *.***.****, ****** ** is *** ******* ** only **** *******. **** details ** *** ************* are ******** ** ******'* ******** **** ************* Report, ******** ** **** 40.

*** ***** ***** ** a ********** ****** ******** from ***** ******** ***** shows ***** *** ****-***** credentials ****** ** *** code:

********* ** *****, *** vulnerability *** **** ** used *** ******** ******* processes, *** *** *** be **** ** **** remote ****** ** ******** devices ** ******** *** user ****.

Exploit ********* ****

****** ****** ** **** developed * ***** ** concept *******, ***** **** were **** ** ****** a ***** ******** ***** that ******* ** *************** telnet *******, ******** **** access **** * ***** shell ** *** ******. From **** ***** ** attacker ***** **** **** reign ** *** ******, allowing **** ** ****** a *** *****-***** ******, access ** ***** ***** data ** *** ******, or ********* **** *** operation. ********* ***** **** upload ******** ******** **** already *** ****** ********** installed, ****** * ****** that ********* ****** *******, something *** ******** ***** lacked.

Affected *******

***** ****** * ******** Notification [**** ** ****** available], ***** **** ***** 2 ******** ********, ********* 1 ** ****** (***-********) and * *** (*******, which ***** **** **** in *****). ***** ** updated ******** *** **** contained ** *** ******** notification.

****** *** ****: ***** has ******* ***** ******** notification [**** ** ****** available], ****** * ** cameras *** * **** NVR.

****** **** ****** ** have ***** *** ************* in * ***** ***** of ********,  ******* "******** of ******* ***** ******** images **** ******** ***** camera ****** ******** **** many ***** ****** ******** contain **** ***** **** upgraded *******, ********* *** “dahua” ****-***** ******** ***********."

***** ****** "*** ******** shipped ***** **** **** are *** ********", *** also ********* **** *** still ********* ******** **** older ********. ***** ** this, ** ***** ********** the **** ** ******** products ***** ******* ** Dahua ********* ** *********** affected *******.

Overall **** ******

***** *** ****** ******* of **** ******* ** port ****, ******* ** would ** ******** ** have ****-********** ***** ***** for ****** ****** (****** users ****** *** ****** in * ***), ******** attacks ********* ** ***** LAN ****. *****, **** presents * **** ** insider *******, ** ********* gaining ****** ** *** LAN ******* ***** ***** (open ****, ***** *********** devices, ***.), *** **** vulnerability ****** *** ** considered ****** ****** ******* it ***** ********* ** used *******. 

Fix ********

****** ****** **** ********** and ****** ******** **** the **** ***** ********, and ***** *** ****-***** dahua/dahua *********** ***** *******, as **** **** **** to ****** * ******** upgrade ** * ****** running *** ********** ******* firmware. ***** ****** **** **** been ****** ** ********* ReFirm's ********, *** **** the ****-***** **** **** has **** ******* **** latest ********. ** ** the **** ** **** publication, ***** ** ********** to ******* ****** ** get **** ******* ** their ***** ** *** vulnerability ***** ******** ** the ********* ***** ********.

Dahua ******** *********

*****'* ******** ** **** vulnerability ****** *** **** handled ****** **** ******* vulnerabilities ** *** ****. They **** **** ********** to ********* **** **** for *******, *** **** updated ***** ******** ************ as **** **** ********** through ********** *** *************. To ***** ******, **** also ******** ****** ******* after *** ************* *** published, ** ****** **** notified ***** * **** in ******* ** ***** release, ****** **** *********** where ******* *** ***** 30-45 **** ******* ****** of *********** ** ******* a ********.

ReFirm **** ******** *******

****** ** * *********, MD ***** ******** ******** company ******* ** **-*** security ********. *** ******* recently******** $*.** ** ******* funding, *** **** *********** from **** ** ******* their ***** ******** ****** to ******* ***** *******, such ** ******* *** The ********** ****.

*** ******* *** ********* a ******* ****** "**********", which **** ***** *** evaluate ******** *** ******* IoT ******* ************* ** detect *************** **** ** back *****. ****** **** license *** ********** ******** in * **** ***** to ********** ** ***-***** who **** ** *** it *** ********* ************* analysis.

****** **** ******* *** to **** ******** *** coverage ** ******* ** the *******, ***** ** delayed ***** ** ***** get ******** **** *****.

Comments (16)

I would love to hear Dahua's explanation for the 'intentional backdoor placed in to the product by the vendor' conclusion...

Agree: 1
Disagree
Informative
Unhelpful
Funny

It is in their security notice linked in the report:

Summary:

Firmware upgrade authentication bypass vulnerability was found in Dahua IPC-HDW4300S and some IP products. The vulnerability was caused by internal Debug function. This particular function was used for problem analysis and performance tuning during product development phase. It allowed the device to receive only specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution.

 

Agree
Disagree
Informative: 2
Unhelpful
Funny

Credible sources from Dahua claim this is all a guise by ReFirm in order to garner free press, and that no Dahua North America products are affected.  So that’s their REAL take on this matter.

Agree
Disagree
Informative: 1
Unhelpful
Funny: 1

In communicating with Dahua on this, they confirmed the vulnerability found by ReFirm, so I do not think it is fair to call it a "guise" when Dahua did not dispute the vulnerability.

While Dahua did say the vulnerable NVR that they found was a China-only model, they did not state that the IPC-HDW4300S camera was limited only to specific markets. They also do not state this on their security notice. If it is true, Dahua should provide that information as part of their release, not through a second-hand comment on IPVM

ReFirm listed several vulnerable devices in their report where this Dahua vulnerability was published. The report certainly seemed to call attention to their company, and the media contacts they were doing were, at least in part, a desire to get publicity. Still, that does not detract from the fact that they found a vulnerability that Dahua admitted to. 

 

Agree: 1
Disagree
Informative
Unhelpful
Funny

Had to give the "funny" upvote just for the "Credible sources from Dahua" part.  Almost did a spit take from that.  Go ahead and give an "Unhelpful" to this if you must.

Agree: 2
Disagree
Informative
Unhelpful
Funny: 2

“Credible sources from Dahua”

Maybe he meant “Incredible”.

Agree
Disagree
Informative
Unhelpful
Funny: 3

"It allowed the device to receive only specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution."

+1 pts for Dahua for at least admitting that they put this backdoor in themselves - unlike Hikvision (EDIT: who continue to deny the obvious.)

-1 pts for Dahua for focusing on their own 'non-responsibility' by defending their inclusion of the back door as 'innocent'. (ignoring, of course, that the existence of the back door itself is what makes their device potentially dangerous - and vulnerable to exploits from 3rd party bad actors)

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

Have checked and seen this in some of my "laying around" FW, but not so many I could expect.

Edit: Still, I think this is serious, as it actually allow you to upload new tampered FW as 'anonymous', so the PoC they saying have done is real.

Agree
Disagree
Informative
Unhelpful
Funny

Something bothers me about the date of the "fix" and the date range they claim is affected.

Wouldn't they brag a little bit about the firmware having already been available and that this problem didn't affect models that had the most recent firmware from 2 year ago?

Agree: 1
Disagree
Informative
Unhelpful
Funny

Don't bother, Dahua always release a fix from 2015 for a vulnerability from 2016 and reported in 2017.

They have awesome time-travel program!

 

Agree
Disagree
Informative
Unhelpful
Funny: 2

Except we've had that exact same firmware since that date. So why is this vulnerability reported now?

Did they recompile the same firmware with the fix without changing the date? Am I going to have to request them again?

Agree
Disagree
Informative
Unhelpful
Funny

Questions should be redirected to Dahua and not me, as I don't get the "logic" either...

Agree
Disagree
Informative
Unhelpful
Funny: 1

Update: Dahua has updated their security notification, adding 7 IP cameras and 1 more NVR, excerpt:

Dahua says they will "provide update information if additional affected products are identified."

Kudos to Dahua for publishing more information and proactively sharing it with us. However, it is somewhat worrisome that they cannot more easily, systematically and quickly detect what is in the firmware for various products. Anyone particularly agree or disagree on that?

Agree: 1
Disagree
Informative
Unhelpful
Funny

Well, it seems that they squashed this way before the press release cause we've had this firmware and we didn't particularly get told why.

The version numbers they claim are affected are merely from older baselines. The Adreia one still bothers me though.

In reality this feels more like a case of, "we got caught for an old vulnerability again, but at least this time we already had it taken care of, otherwise we would have never had to say anything about it to anyone."

Agree
Disagree
Informative
Unhelpful
Funny

Basically, their fix seems to have been to close port 3800 altogether (which actually has been closed on new firmware from late 2016-2017 onward). However, I see no real mention of the removal of the backdoor account/credentials, so how good is this "fix"?

Port 3800 was the upgrade daemon and is certainly applicable and necessary for a lot of units that refuse to upgrade or got stalled midway through a firmware upgrade and can still be pinged. I think sometimes the port still works under non-full boot conditions, but I haven't soft-bricked enough units recently to test.

Agree
Disagree
Informative
Unhelpful
Funny

However, I see no real mention of the removal of the backdoor account/credentials...

It would seem that “dahua”,“dahua” are not credentials but rather conditional code.

 

Agree
Disagree
Informative: 1
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,947 reports, 927 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports