This article is no longer available publicly. Please subscribe to read.

Dahua Hard-Coded Credentials Vulnerability

Published Nov 20, 2017 15:30 PM

A newly discovered Dahua backdoor is described by the researcher discovering it as:

not the result of an accidental logic error or poor programming practice, but rather an intentional backdoor placed into the product by the vendor

This comes after other recent cyber security issues involving Dahua, including:

A group of ex-NSA researchers found these hard-coded credentials in Dahua products. The finding was picked up by The Washington Post and Fortune, but those publications failed to analyze the true extent of Dahua's most recent vulnerability.

IPVM spoke with Terry Dunlap [link no longer available], the CEO of ReFirm, the research company that discovered the vulnerability, as well as representatives from Dahua, to analyze its potential for impact. Will it be the next Mirai? Details are in this note.

*******

* ****-***** ******** *** ******** *** be **** ** ****** ***** ******** to ******** *******, ********* ******** ************** methods **** ******* ******** ********. **** allows ** ******** ** ***** ***** own **** (*.*., *****-***** ****** ****) into ********** ******** *** **** ** directly **** ***** *******. *** ************* is **** **** ** *******, ****** it ****** ** * ******** **** being ******** ********** (**** ****), ***** may **** ***** ******* ******.

***** *** ******** ******* ********, ****** the *** ** ******** ** *** research *******.

Vulnerability ********

****-***** *********** (********/******** ** *****/*****) **** found ** * ******* ****** "********", which ******* ** **** **** *** is **** ** ******** ****** ******** updates. *** ************* *** ***** ** Dahua ******** ******* *.***.****, ****** ** is *** ******* ** **** **** version. **** ******* ** *** ************* are ******** ********'* ******** **** ************* ******, ******** ** **** **.

*** ***** ***** ** * ********** ReFirm ******** **** ***** ******** ***** shows ***** *** ****-***** *********** ****** in *** ****:

IPVM Image

********* ** *****, *** ************* *** only ** **** *** ******** ******* processes, *** *** *** ** **** to **** ****** ****** ** ******** devices ** ******** *** **** ****.

Exploit ********* ****

****** ****** ** **** ********* * proof ** ******* *******, ***** **** were **** ** ****** * ***** firmware ***** **** ******* ** *************** telnet *******, ******** **** ****** **** a ***** ***** ** *** ******. From **** ***** ** ******** ***** have **** ***** ** *** ******, allowing **** ** ****** * *** Mirai-style ******, ****** ** ***** ***** data ** *** ******, ** ********* with *** *********. ********* ***** **** upload ******** ******** **** ******* *** botnet ********** *********, ****** * ****** that ********* ****** *******, ********* *** original ***** ******.

Affected *******

***** ****** * ******** ************ [**** no ****** *********], ***** **** ***** 2 ******** ********, ********* * ** camera (***-********) *** * *** (*******, which ***** **** **** ** *****). Links ** ******* ******** *** **** contained ** *** ******** ************.

****** *** ****: ***** *** ******* their ******** ************ [**** ** ****** available], ****** * ** ******* *** 1 **** ***.

****** **** ****** ** **** ***** the ************* ** * ***** ***** of ********, ******* "******** ** ******* other ******** ****** **** ******** ***** camera ****** ******** **** **** ***** camera ******** ******* **** ***** **** upgraded *******, ********* *** “*****” ****-***** backdoor ***********."

***** ****** "*** ******** ******* ***** June **** *** *** ********", *** also ********* **** *** ***** ********* products **** ***** ********. ***** ** this, ** ***** ********** *** **** of ******** ******** ***** ******* ** Dahua ********* ** *********** ******** *******.

Overall **** ******

***** *** ****** ******* ** **** service ** **** ****, ******* ** would ** ******** ** **** ****-********** rules ***** *** ****** ****** (****** users ****** *** ****** ** * DMZ), ******** ******* ********* ** ***** LAN ****. *****, **** ******** * risk ** ******* *******, ** ********* gaining ****** ** *** *** ******* other ***** (**** ****, ***** *********** devices, ***.), *** **** ************* ****** not ** ********** ****** ****** ******* it ***** ********* ** **** *******.

Fix ********

****** ****** **** ********** *** ****** firmware **** *** **** ***** ********, and ***** *** ****-***** *****/***** *********** still *******, ** **** **** **** to ****** * ******** ******* ** a ****** ******* *** ********** ******* firmware. ***** ****** **** **** **** unable ** ********* ******'* ********, *** that *** ****-***** **** **** *** been ******* **** ****** ********. ** of *** **** ** **** ***********, Dahua ** ********** ** ******* ****** to *** **** ******* ** ***** claim ** *** ************* ***** ******** in *** ********* ***** ********.

Dahua ******** *********

*****'* ******** ** **** ************* ****** has **** ******* ****** **** ******* vulnerabilities ** *** ****. **** **** been ********** ** ********* **** **** for *******, *** **** ******* ***** Security ************ ** **** **** ********** through ********** *** *************. ** ***** credit, **** **** ******** ****** ******* after *** ************* *** *********, ** ReFirm **** ******** ***** * **** in ******* ** ***** *******, ****** some *********** ***** ******* *** ***** 30-45 **** ******* ****** ** *********** to ******* * ********.

ReFirm **** ******** *******

****** ** * *********, ** ***** security ******** ******* ******* ** **-*** security ********. *** ******* **************** $*.** ** ******* *******, *** **** *********** **** **** to ******* ***** ***** ******** ****** to ******* ***** *******, **** ** Fortune *** *** ********** ****.

*** ******* *** ********* * ******* called "**********", ***** **** ***** *** evaluate ******** *** ******* *** ******* automatically ** ****** *************** **** ** back *****. ****** **** ******* *** Centrifuge ******** ** * **** ***** to ********** ** ***-***** *** **** to *** ** *** ********* ************* analysis.

****** **** ******* *** ** **** directly *** ******** ** ******* ** the *******, ***** ** ******* ***** we ***** *** ******** **** *****.

Comments (16)
UM
Undisclosed Manufacturer #1
Nov 20, 2017

I would love to hear Dahua's explanation for the 'intentional backdoor placed in to the product by the vendor' conclusion...

(1)
Avatar
Brian Karas
Nov 20, 2017
IPVM

It is in their security notice linked in the report:

Summary:

Firmware upgrade authentication bypass vulnerability was found in Dahua IPC-HDW4300S and some IP products. The vulnerability was caused by internal Debug function. This particular function was used for problem analysis and performance tuning during product development phase. It allowed the device to receive only specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution.

 

(2)
U
Undisclosed #2
Nov 20, 2017

Credible sources from Dahua claim this is all a guise by ReFirm in order to garner free press, and that no Dahua North America products are affected.  So that’s their REAL take on this matter.

(1)
(1)
Avatar
Brian Karas
Nov 20, 2017
IPVM

In communicating with Dahua on this, they confirmed the vulnerability found by ReFirm, so I do not think it is fair to call it a "guise" when Dahua did not dispute the vulnerability.

While Dahua did say the vulnerable NVR that they found was a China-only model, they did not state that the IPC-HDW4300S camera was limited only to specific markets. They also do not state this on their security notice. If it is true, Dahua should provide that information as part of their release, not through a second-hand comment on IPVM

ReFirm listed several vulnerable devices in their report where this Dahua vulnerability was published. The report certainly seemed to call attention to their company, and the media contacts they were doing were, at least in part, a desire to get publicity. Still, that does not detract from the fact that they found a vulnerability that Dahua admitted to. 

 

(1)
UD
Undisclosed Distributor #4
Nov 21, 2017

Had to give the "funny" upvote just for the "Credible sources from Dahua" part.  Almost did a spit take from that.  Go ahead and give an "Unhelpful" to this if you must.

(2)
(2)
U
Undisclosed #5
Nov 21, 2017
IPVMU Certified

“Credible sources from Dahua”

Maybe he meant “Incredible”.

(3)
U
Undisclosed #3
Nov 21, 2017

"It allowed the device to receive only specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution."

+1 pts for Dahua for at least admitting that they put this backdoor in themselves - unlike Hikvision (EDIT: who continue to deny the obvious.)

-1 pts for Dahua for focusing on their own 'non-responsibility' by defending their inclusion of the back door as 'innocent'. (ignoring, of course, that the existence of the back door itself is what makes their device potentially dangerous - and vulnerable to exploits from 3rd party bad actors)

(1)
(1)
bm
bashis mcw
Nov 21, 2017

Have checked and seen this in some of my "laying around" FW, but not so many I could expect.

Edit: Still, I think this is serious, as it actually allow you to upload new tampered FW as 'anonymous', so the PoC they saying have done is real.

RS
Robert Shih
Nov 21, 2017
Independent

Something bothers me about the date of the "fix" and the date range they claim is affected.

Wouldn't they brag a little bit about the firmware having already been available and that this problem didn't affect models that had the most recent firmware from 2 year ago?

(1)
UE
Undisclosed End User #6
Nov 21, 2017

Don't bother, Dahua always release a fix from 2015 for a vulnerability from 2016 and reported in 2017.

They have awesome time-travel program!

 

(2)
RS
Robert Shih
Nov 22, 2017
Independent

Except we've had that exact same firmware since that date. So why is this vulnerability reported now?

Did they recompile the same firmware with the fix without changing the date? Am I going to have to request them again?

UE
Undisclosed End User #6
Nov 22, 2017

Questions should be redirected to Dahua and not me, as I don't get the "logic" either...

(1)
JH
John Honovich
Nov 24, 2017
IPVM

Update: Dahua has updated their security notification, adding 7 IP cameras and 1 more NVR, excerpt:

Dahua says they will "provide update information if additional affected products are identified."

Kudos to Dahua for publishing more information and proactively sharing it with us. However, it is somewhat worrisome that they cannot more easily, systematically and quickly detect what is in the firmware for various products. Anyone particularly agree or disagree on that?

(1)
RS
Robert Shih
Nov 27, 2017
Independent

Well, it seems that they squashed this way before the press release cause we've had this firmware and we didn't particularly get told why.

The version numbers they claim are affected are merely from older baselines. The Adreia one still bothers me though.

In reality this feels more like a case of, "we got caught for an old vulnerability again, but at least this time we already had it taken care of, otherwise we would have never had to say anything about it to anyone."

RS
Robert Shih
Nov 27, 2017
Independent

Basically, their fix seems to have been to close port 3800 altogether (which actually has been closed on new firmware from late 2016-2017 onward). However, I see no real mention of the removal of the backdoor account/credentials, so how good is this "fix"?

Port 3800 was the upgrade daemon and is certainly applicable and necessary for a lot of units that refuse to upgrade or got stalled midway through a firmware upgrade and can still be pinged. I think sometimes the port still works under non-full boot conditions, but I haven't soft-bricked enough units recently to test.

U
Undisclosed #5
Nov 27, 2017
IPVMU Certified

However, I see no real mention of the removal of the backdoor account/credentials...

It would seem that “dahua”,“dahua” are not credentials but rather conditional code.

 

(1)