Four "High" Dahua Vulnerabilities, "Not Responded", Says CISA; CISA Removes, Dahua Responds
The US government's Cybersecurity & Infrastructure Security Agency, CISA, has disclosed four new "High" level vulnerabilities for the Dahua ASI7213X-T1 fever tablet / facial recognition access controller plus one "Medium" vulnerability.
CISA said Dahua "has not responded to requests to work with CISA to mitigate" these serious vulnerabilities. Two weeks before CISA's announcement, Dahua disclosed separate "Medium" and "Low" vulnerabilities for the ASI7 series.
These vulnerabilities are different and add to the ones from this January - Dahua Broken Access Control Vulnerability and 10 months ago - Dahua New Critical Vulnerabilities 2021.
In this post, IPVM examines this incident and how it highlights Dahua's history of poor cybersecurity.
Update: Dahua responded to IPVM calling it a "miscommunication" and they are in "process of correcting the CISA advisory."
Update: CISA removed the section about Dahua not responding.
CISA ********* "****" ***** ***************
** **** **, ************** ******** *********** ****** ** ***** vulnerabilities **** "***** ***** ************ ******, upload ********* *****, *** ***** * denial-of-service *********" *** ******** ********-** ****** *********** **********:
*** **** *************** ***** **** *.* to *.* **** (****** ************* ******* ******) ******, **** **** "****" *** one "******"*****:
- ***-****-****, **** ***** *.* (****), *** most ******* ** *** ****: * '**** *** ****' **** **** ****** ******* ** "access *** ****** ******* ******* * password".
- ***-****-****, **** ***** *.* (****). *** product ***** ***** "**** ** ******* username ** *******" ***** "***** ***** an ******** ** **** ***** ******** values" *** **************-***** *******.
- ***-****-****, **** ***** *.* (****). *** device ** "********** ** ********* ************** attempts, **** ** ******** ******** ** credential ******** *******".
- ***-****-****, **** ***** *.* (****). * feature **** ****** ***** ** ****** potentially ********* ***** "**** ****** ** in *******".
- ***-****-****, **** ***** *.* (******). ** input ********** **** ** *** ******'* web ****** "***** *** ***** * denial-of-service ********* ** *** ******."
**** **** **** "** ***** ****** exploits ************ ****** ***** ***************."
Based ** ****** ******** ********
**** **** *** *************** **** ******** by****** ********, * **********-***** *** ************* ****. In ******* ****, ****** **** ** had ************ ******** ********** *** ***** ********-** ********, ******** it *** *** ******* *** *************** publicly.
*** ************** *************, ********* *** *** ******* to *****, *** ********* "******** ** obscurity" ** "******** *********** ** ********** firmware, **** *** **** ** ******** any **** ** ******** ***** **** a **** ***** *** ***********".
Dahua ********* **** "******" & "***" ***************
** **** **, *** ***** ****** CISA's ************, ************** * ******** ********"** ******** ** *** ******** ****** reported ** ****** ********". *****'* ******** said ** *** ******** ***** ****** and *** ***-***** ***************:
- ***-****-*****, **** ***** *.* (******). "**** an ******** **** * ***-**-***-****** ****** to ***** *** ******* ******* **** success ******* ** ******* *****, ** can *** ** ** *** ****** by ********* *** ****'* ***** ******."
- ***-****-*****, **** ***** *.* (******). "**** an ******** **** * ***-**-***-****** ****** to ***** *** ******* ******* **** success ******* **, *** ******** ***** log ** ** *** ****** ** replaying *** ****'* ***** ******."
- ***-****-*****, **** ***** *.* (******). "**** an ******** ********* *** ************** ******* and ********, ** ******* * ***-**-***-****** attack, *** ******** ***** **** * specified ******* ****** ** *** ********** interface **** **** *** ****** ** crash."
- ***-****-*****, **** ***** *.* (***). "** the **** ******* *** ***** ******** on *** ******, ** ******** *** modify *** ****’* ******* **** ****** through * ***-**-***-****** ****** *** ******** to * ********* ****."
***** **** *** *************** ******** *** "ASI7XXXX" ****** *** **** *** ***-***** and ***-**** ****** ****** (***** **** unmentioned ** ****):
***** ************ ******** *********/** ********** ********* ******* ** *******.
CISA: ***** "*** ********* ** ********" ** ******** ***************
****'* **************** ***** "*** *** ********* ** requests ** **** **** **** ** mitigate ***** ***************", ******** *** ******* *** *** *********** "** ************ ****" ** ** national ********:
**** **** *** ***** **** *** companies *** ***** ************ ** ************* mitigation *******. **** ***** **** * handful **** *********:******(***),***** **********(***),***** ******(******),********(*****), *** *** *****.
**** ** *** ***** **** **** calls *** ***** *** *** **********, e.g. ********'* **** **** ****, ******* *** ***********.
Dahua's **** ************* ******
***** ********* *** *********** ************* ***************. For *******, ** ****** ***:
********, ** **** ******** ***** *** problems ********** ** *** ***************. *** example, **** *** **** ****, ***** ignored *** ***********' ****** ** ***** vulnerabilities:
***:
**** ** ******** ***** * ****, IPVM ******** ****** ** ******* ********* a ******** **** *****:
Dahua ********
***** *** *** ******* ** ****'* request *** *******. ** ** **** Dahua ****, ** **** ****** *** report.
UPDATE: ***** ********
***** *** **** *** ********* ********, posted ***** ** ****:
** *** ******** **** **** ********* this ******* ******* ********* * ******** from ** *****. *** ******** *** sent ** ** *** **** ***** was ********** ************ *** ******. ** you **** **** ****, *** *** company ** ******* ********, ************* ********* on ********* ******** ******* ** **** coordinate **** *********** ****** ******** **** zones – *** **** ****** *** company, *** ** *********** ******** ****** that ** *** ******* ** *** schedule. * **-**** ******** ** *** middle ** *** ***** ** *** US *** ******** ** ***** ** impossible *** ** ** *** ********* situated ******** ** *********** *** ** believe **** ***** ****. ******, ** suspect **** **** ** *** ****** point **** ****’* ***********.
** * ****** ** **** ******** approach, **** *** ******* *********** *** readers. **** *** *** *****: **’** investigated *** *********** **** *** **** in **** ******** *******. ****** ****, an *********** ************* ************, ******** **** there *** * **************** ******* ***** analyst *** ***** *********** ** ****. They **** ************ ************* ** *****, and *** ******* ** **** ** in *** ******* ** ********** *** CISA ******** ** ******* *** **** that ***** ********* *** **** ** vulnerabilities **** ****** ******, *** *** issued ******* *** ***** ***************.
*********** **** **Nozomi * **** ***, ********** ********* *** **** ******* ** ******* *** **. *****, *** ************* ******** ***** ** ** **'* **** ***** ***** ****, ***** **** ** "***********" ****** *** ** ***** ***** **** *** ***** *** ** ********** *** ******* **** ********/********** (****** *** ********** ***/** ********* ******* *** ** **** ** ******)
Nevertheless, **** *** *** **** ****** *** ******** *** ****** ******* *** ***********.
*********
"******** ** *********" ** "******** *********** or ********** ********, **** *** **** of ******** *** **** ** ******** other **** * **** ***** *** interaction".
* ******* *****, ******** ** ********** security, "****" *** (** *******) ********** time ********* ********* ** **** ***** the **** ******** *** *****.
******* ********, * **** **** ***** how **** ********* **********/********** *** *** generation ******* * **** ***** **** Dahua ********* *****, ***** ** ** that ******* **** ******** ** ***** are **** ** ********* *** **** use ** **********/*** **********.
** **** **** **** ** ** speak, *** **** ********** ******* ***** cyber ** ***** ******* ** ***** to ****.... ***
******: **** *** ******* *** **** about *** ***** ***"*** ********* ** ******** ** **** with [**] ** ******** ***** ***************", see ****:***** ********-** (****** *).
*** ******* ********** ****:
*** ** ***** ** ****** ******* to*****'* ******** ********:
**** *** ******* *** ** ***** & ****, ** **** ****** **** response.
***** *** *********:
********** ***** ********* ** **: ** gave **** ** ***** ** ** issue **** *** ** ********** ********* 2 **** ****** ****. ***** *** well ***** ** **** ***** *** what *** ** ********** ********* ******* in *** ****.
** ******* *** ***********@*********.***, ***** ** * **** ***** that ** *********** ** ******* ***** employees *** ***** ** ** ***** American ***** ***** ****.
** ****** ******* **** ***** ** angry ** ** ******* ** ***** own ********* ************* ****** *** ****** working **** *** ** **********.