Dahua New Critical Vulnerability 2019

By John Honovich, Published Sep 23, 2019, 08:51am EDT (Info+)

Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored 7.0 - 9.0), found by researchers from the University of Applied Sciences Offenburg who are setting up a startup, IoT Security Systems.

IPVM Image

Inside this note, we examine the severity of these vulnerabilities, Dahua's response and impact on dealers and OEMs of Dahua.

These vulnerabilities are in addition and separate from the Dahua wiretapping vulnerability disclosed last month.

Vulnerabilities **********

***** *** ************* *** ***************:

IPVM Image

*** **** ****** (***-****-****) **** "** ******** *** ***** a ****** ******** ** ************ ********* packets". ** ********** *** *********** ******** ** ******** ********* **** **** ************* "****** an ******** ** ******* ********* **** on *** ******". **** ** *** it ******** **** * ******** (*.* out ** **.*) ***** ***** ******* can **** **** *** ******, ****** to ****** *** ***** *** ******** directly ** ** *** ** ** attack ***** ******* *******.

***** *** ******** **** **** ******* access ** *** *******, ** ******** **** ******** ** **********, ***** *** * ***** ****** of ***** ******* ********* ** *** public ********.

Collection ** **********

************** **** ******** * ********** ** the ********** **** *******.

Models ********

*****'* ******************** * **** ** ***** ******, while ** ***** * ****, ** estimate ** ** ****** ****** ** total ******:

IPVM Image

***** ****** *** ***** ********** ***** to ***-**** *******. *******, *** ******** up ***** ****** **** ** ********.

***** ********* ***** ********* ***** ***** being *** ****** '***** ** ** affected' *** ** ***** ******* **** would **** *** ** **** ** this ***** ***** *** *********** ******** this ** ***** * ****** ***, in ***.

Dahua ******** - ** *********, *** *******

***** ** ******* ****** * *********** ********* **, ****. ** ***** nothing ***** **** ***** ******** ****************, *** ********* *** **** ***** backdoor, ****** **** ********* **** **, partial ********* *****:

IPVM Image

** ******* *** ** ***** ** the ********* ****, **** ****** ********* *** *** ** ************* ***** ** ** *****, ********* 23rd *** ** ******. ***** ***** only **** *****'* *********** *************:

IPVM Image

**** ***** *** ******* *** ******** remains *******. ** **** *** *******'* ****.

****

*********, ***** **** *** ******** ******* the *********** ********** ***** *************** ** OEMed ***** *******, **** **** ********** to ****:

*** *************** **** ********** ********** ** a *****-******* ****** **** ***** *** the ******* *** *** *** ******** the *** ******** **** *****

** ****** ***** ***** *** ********* ****** the *********** ************* ******, ** ** *** ***** **** or ** *** ******* ***** **** will ** **.

**** ** *** ******* ******* ** the ******* ** ****** **** ****, even **** ** **** *** ******* of ****** **** *****.

Issues ******** *** *****

***** *** **** ******* ********* ***** claiming ** ******* ***** *************, ********* an*********** ***** ***** '************* ********' **** * ******* ***** **** compares ***** ** * ****** ******* female:

** **** ******* **** *****, *** Dahua ******* ************ **** **** ***** problems '**** * ***** ***'. **** new ****** ** ***************, ********* ***** high *** ******** ******, **-****** ***** significant ******** ***** *****'* ************* ***************.

Comments (29)

That video is cringe-inducing. I know it doesn't say this specifically, but it gives you the impression that a big part of Dahua's cyber security involves homeopathy and eating organic produce while focusing on their chi.

Agree: 2
Disagree
Informative
Unhelpful
Funny: 13

They use some essential oils

Agree
Disagree
Informative
Unhelpful
Funny

Use CBD to secure your devices!

Agree
Disagree
Informative
Unhelpful
Funny

I can easily see this transition into the perfect cctv-themed porno...

”Hey baby, I like your chassis.”

”Mmm, yeah, is your FIRMware HARDened, big boy?”

”Yeah, baby... I’m about to do a data dump, I want you to parse my packets.”

Next thing you know, we find out he’s her stepbrother, Hikvision.

Let’s hope for her sake that he’s wearing a firewall!

Agree: 1
Disagree
Informative: 1
Unhelpful: 3
Funny: 23

John, your a bit behind the timeline on this one... :)

There has been advice circulating for at least a couple of weeks on mitigating these vulnerabilities. I believe that most of the firmware patches have been released so its just a time thing for SI's to update the deployed devices.

I'm not standing up for Dahua with regards to Cybersecurity, but they do (generally, quickly) fix things that are raised.

So to be clear, the device needs to be fully accessible from the internet... air-gapped, firewalled, P2P connected and VPN accessible sites should all be reasonably safe. Please update firmware and secure the networks properly of course!

Whilst its a reasonably bad vulnerability, its not particularly easy to leverage and a (at least) half decent deployment mitigates this.

If you look at comparables, Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined. Cisco has found something like 13 hard-coded backdoors in their products

1. patch early, patch often

2. design the system correctly

3. deploy systems securely

Agree: 2
Disagree: 6
Informative: 1
Unhelpful
Funny

Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined.

Assessing cybersecurity based on CVE total counts is silly. But since you made a specific claim about Huawei, CVE Details shows 516:

To be clear, the bigger issue with such comparisons is that company software output and review are not equal. Microsoft releases many orders of magnitude more software than Dahua and is under far more scrutiny than Dahua.

We can certainly reasonably disagree about whether these vulnerabilities matter or who should be responsible (i.e., integrator vs manufacturer, etc.) but using simplistic CVE count for 'ranking' or judging cybersecurity is groundless.

Agree: 4
Disagree
Informative: 1
Unhelpful
Funny: 1

John,

you 'called me out' for not validating my sources on another post so I qualified all of the data before posting... (sorry it's taken me some time to address your reply)

if you go to CVE - Home (Mitre is THE place for recording vulnerabilities)

The full dataset is publicly accessible here: https://cve.mitre.org/data/downloads/allitems.csv

My statement of "Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined." is very correct.

For the last 3 years, here are the results by manufacturer:

Hikvision: 2019 = 0, 2018 = 2, 2017 = 4

Dahua: 2019 = 7, 2018 = 0, 2017 = 12

Huawei: 2019 =30, 2018 = 53, 2017 = 237

Total 2019 = 37, 2018 = 55, 2017 = 253

Microsoft: 2019 = 294, 2018 = 479, 2017 = 628

H+D+H as % of Microsoft = 2019 = 12.6%, 2018 = 11.5%, 2017 = 40%

My reference to Microsoft was to put it in popular context. (It would be interesting to see if Microsoft wrote security system firmware and software if they could do a better job!)

To be clear. All vulnerabilities ARE important and need to be addressed. In the security industry, we place a much higher emphasis on having secure products - I did not mean to give any impression to the contrary!!!

Regardless of origin of product, route to market or validation by any body or organisation, we, as responsible installers/designers/maintainers must place a higher focus on deploying equipment in such a way that any future vulnerability is mitigated by the environment we created for it.

A great example of this was the London Underground where various news outlets falsely told the populace of the world that the Chinese government can see everything on the TFL cameras. This cannot be true as the tube network cameras were not all Hikvision and all of the CCTV networks are physically isolated from each other and do not go anywhere near communications service providers (The tube network owns the land the railway lines are on, so if they need connectivity between two sites, they pull in a fibre)

My point being, that IF there was a vulnerability that affected ANY CCTV VENDOR's equipment, it could not not have gained outside access nor could it have been affected by (forgive my use of the most overly used phrase in mainstream cyber journalism) 'Back Doors'

Agree: 1
Disagree
Informative
Unhelpful
Funny

Feel I need to give few comments...

Any manufacture who has self respect and respecting their customers will do their CVE's, no matter if the vulnerability has been found in-house or reported from externally.

Most manufactures do not file any CVE's at all, exceptions to my notifications is actually Cisco and Microsoft. That might explain your results.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

Most manufactures do not file any CVE's at all, exceptions to my notifications is actually Cisco and Microsoft

Bashis, good point. I'd add that when a company starts basing its cybersecurity performance on CVE count, they have a massive disincentive to file CVEs.

Agree: 2
Disagree
Informative
Unhelpful
Funny

My statement of "Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined." is very correct.

Are you joking?

You then say:

Huawei: 2019 =30, 2018 = 53, 2017 = 237

So if by your own calculation Huawei has 237 in the last 3 years, how can you conclude you are 'very correct' to say "There are not even 70 CVE's combined for Dahua, Hik and Huawei combined"??

Again, to be clear, ranking or evaluating vendors based on CVE count is fallacious but even by your own claim, you are wrong. I just want you to be less sloppy and do simple fact-checking.

It would be interesting to see if Microsoft wrote security system firmware and software if they could do a better job!

My point is you should not conclude Microsoft is doing a 'worse' or 'better' job than Dahua based on CVE counts. Microsoft develops 100x or 1000x the amount of code Dahua and is under 10x or 100x, etc. the amount of scrutiny of Dahua.

Maybe Microsoft is worse at software development than Dahua but basing this on CVE counts is foolish since you can't fairly compare the metric across companies.

Agree: 2
Disagree
Informative
Unhelpful
Funny: 1

Missed a vital phrase from original post... my comments were based on 2019 only. I included the last three years to show history.

Agree
Disagree
Informative
Unhelpful
Funny

my comments were based on 2019 only

No, your original comment was:

If you look at comparables, Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined.

Again, why do you keep focusing on CVE counts? Do you really think you can meaningfully and legitimately compare Dahua to Microsoft based on CVE counts? Does any of our points about the companies being vastly different in terms of development and scrutiny make any sense to you?

You are a guy essentially comparing the number of issues found in an aircraft carrier to a car.

Agree
Disagree
Informative
Unhelpful: 1
Funny

"Maybe Microsoft is worse at software development than Dahua but basing this on CVE counts is foolish since you can't fairly compare the metric across companies"

Any idea which metric to use for fair comparison?

Agree
Disagree
Informative
Unhelpful
Funny

I don't know what single metric would be fair / accurate. Anyone with ideas, feel free to share.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Maybe the USA Dollar is good metric?

how much money been lost because of Win problem

ver money lost because of the "cameras" vulnerability problem

Agree
Disagree
Informative
Unhelpful
Funny

Microsoft 2018 revenue was $110 billion.

The entire global video surveillance market was around or less than $20 billion.

It's a bit hard to compare a company whose revenue is 5 to 6x the size of an entire industry.

Agree
Disagree: 1
Informative
Unhelpful
Funny

Who cares about revenue

Google how much money has been lost because of very "secure" OS

Agree
Disagree
Informative
Unhelpful
Funny

Google how much money has been lost because of very "secure" OS

So Dahua is better at cybersecurity than Microsoft?

As for 'who cares about revenue', losses need to be compared to revenue to understand relative impact and net loss or gain.

Agree
Disagree
Informative
Unhelpful: 1
Funny

You did not provide an example of how much money been lost because of Dahua

cybersecurity problem!

Agree
Disagree
Informative
Unhelpful
Funny

Dahua's literally the worst example in the industry to pick since a lot of people have cleary lost on Dahua - Dahua Recorders Mass Hacked

Agree
Disagree
Informative
Unhelpful
Funny

My statement of "Microsoft has patched around 70 CVE's in Windows update in the last month alone. There are not even 70 CVE's combined for Dahua, Hik and Huawei combined." is very correct.

except that Microsoft is primarily a software company, and the others are primarily hardware companies.

the breadth of Microsoft software is immense:everything from multiple operating systems, internet browsers, to office productivity, to ERP, to gaming, to developer tools, to remote access and so on...

Hikua software is VMSes, embedded firmware, tools, AI, ?

how many more lines of code does Microsoft produce than H+D+H ?

factor that in to your equation

H+D+H as % of Microsoft = 2019 = 12.6%, 2018 = 11.5%, 2017 = 40%

Agree: 2
Disagree
Informative
Unhelpful
Funny

As an all star dealer for Dahua, this is the first time I've heard of these vulnerabilities. Dahua has a history of poor communication and I'm growing tired of it. This combined with the choice to ignore past vulnerabilities with attitude of "it's no big deal" is sad. Their arrogance will eventually lead to their downfall. Shame as they make a solid product, but just can't figure out the software side.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny: 2

Brian, we have asked Dahua a few times and I know they are checking. It is possible that Dahua USA models are not impacted though it is hard to tell given Dahua's various firmware and model naming conventions. Either way, Dahua USA should clearly inform their partners. If we get any feedback, we will update here.

Agree: 1
Disagree
Informative
Unhelpful
Funny

that kid is out of his league, she’s a solid 9! she needs a more experienced partner:

though some caution is in order, as he is definitely a player, and has been known to swap out recorders on a whim...

and she, despite her outward bluster, is still quite vulnerable :)

Agree: 1
Disagree
Informative
Unhelpful
Funny

Interesting stuff, however,

[1] doesn't work on my "IPC-HDBW1320E-W, Build: 2017-08-31 09:30:50, Version: 2.400.0000000.16.R" as it use Digest and not Basic.

[2] Seems not to be working on above device either.

I must say that [4] & [5] is bit interesting, as they reporting others findings... (Ok, they link my PoC, but I think Dahua is already subscribed w/ obfuscated account and knew about it)

Moreover, I totally agree that the Debug shell/functions should be disabled!

[6], [7] and [8] is widely know, nothing new.

[3] No comments, as I didn't spend time on it, but looks interesting.

Agree
Disagree
Informative: 3
Unhelpful
Funny

looks like the 'start-up' has been 'closed-down' , or did I miss something?

Agree
Disagree
Informative: 1
Unhelpful
Funny

Thomas Vogt and Daniel Nussko don't say anything about IoT Security Systems on their LinkedIn profiles. Dennis Barnekow doesn't have a LinkedIn profile.

The domain registration will expire next September.

The site gives a 404 when using HTTP, but sends FIN-ACK in response to client hello to abort TLS connections. If they closed their hosting account, I'm not sure why the server would respond that way, unless the hosting company is trying to preserve things in the background in case the account is reopened.

It's very possible this was a speculative venture, they tried it for a few weeks or months, and then decided it wouldn't work.

Agree
Disagree
Informative
Unhelpful
Funny

It's very possible this was a speculative venture, they tried it for a few weeks or months, and then decided it wouldn't work.

You are right ;) - It was the wrong time to start our own business.

Agree
Disagree
Informative: 1
Unhelpful
Funny

I emailed our contact at the group to clarify. The email to that domain name did not bounce, fyi. If or when they respond, I'll update accordingly.

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports