Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored 7.0 - 9.0), found by researchers from the University of Applied Sciences Offenburg who are setting up a startup, IoT Security Systems.

Inside this note, we examine the severity of these vulnerabilities, Dahua's response and impact on dealers and OEMs of Dahua.

These vulnerabilities are in addition and separate from the Dahua wiretapping vulnerability disclosed last month.

Vulnerabilities Overviewed

Dahua has acknowledged 5 new vulnerabilities:

The most severe (CVE-2019-9677) lets "an attacker can cause a buffer overflow by constructing malicious packets". In a statement the researchers provided to IPVM they confirmed that this vulnerability "allows an attacker to execute malicious code on the camera". This is why it received such a critical (9.8 out of 10.0) score since attacks can take over the camera, either to access its feeds and contents directly or to use it to attack other network devices.

While the attacker will need network access to the devices, as the Dahua mass hackings in 2017 showed, there are a large number of Dahua devices available on the public Internet.

Collection of Advisories

The researchers have released a collection of the advisories with details.

Models Impacted

Dahua's announcement included a list of known models, while it shows 8 rows, we estimate it to impact dozens of total models:

These models are older generation lower to mid-tier cameras. However, all firmware up until August 2019 is impacted.

Dahua qualifies their statement about these being the models 'known to be affected' but we would presume they would know all of them at this point since the researchers reported this to Dahua 4 months ago, in May.

Dahua Response - HQ Statement, USA Nothing

Dahua HQ quietly issued a statement on September 14, 2018. We heard nothing about this until security researcher Bashis, who uncovered the 2017 Dahua backdoor, shared this statement with us, partial screencap below:

We reached out to Dahua on the September 18th, also noting that Dahua USA had no disclosure and still as of today, September 23rd has no notice. Below shows only last month's wiretapping vulnerability:

What Dahua USA cameras are impacted remains unclear. As does all of Dahua's OEMs.

OEMs

Certainly, Dahua OEMs are impacted because the researchers originally found vulnerabilities in OEMed Dahua cameras, with them explaining to IPVM:

The vulnerabilities were originally identified on a white-labeled device from Dahua and the company has not yet released the new firmware from Dahua

As the one month delay for Honeywell fixing the wiretapping vulnerability showed, it is not clear when or if the various Dahua OEMs will do so.

This is yet another example of the dangers of buying from OEMs, even more so than the dangers of buying from Dahua.

Issues Continue For Dahua

Dahua has made various marketing moves claiming to improve their cybersecurity, including an infographic about their 'Cybersecurity Baseline' with a YouTube video that compares Dahua to a petite fitness female:

In that January 2019 video, the Dahua actress dismissively says that their problems 'were a while ago'. This new series of vulnerabilities, including their high and critical nature, re-raises those significant concerns about Dahua's cybersecurity vulnerabilities.