Dahua Suffers Second Major Vulnerability, Silent [Finally Acknowledges]

Author: Brian Karas, Published on Jul 25, 2017

Less than 3 months ago, Dahua received DHS ICS-CERT's worst score of 10.0 for their backdoor.

Now, Dahua has received another 10.0 score for a new vulnerability. Despite that, Dahua has remained silent.

In this note, we examine the vulnerability, Dahua's poor handling of this, compared to competitors Axis and Hikvision, and the potential impact to Dahua.

[Update: After the publication of our report, Dahua has finally acknowledged the vulnerability]

**** **** * ****** ***,***** ******** *** ***-****'* ***** ***** ** **.**** ***** ********.

***, ***** *** ******** ******* **.* ***** *** * *** vulnerability. ******* ****, ***** *** ******** ******.

** **** ****, ** ******* *** *************, *****'* **** ******** of ****, ******** ** *********** **** *** *********, *** *** potential ****** ** *****.

[******: ***** *** *********** ** *** ******, ***** *** ******* acknowledged *** *************]

[***************]

Vulnerability ********

*****'* *** ********* ** ********** ** ***** ****** ********, ********* ** ****, ********* ** *** ** ***. ************, the ***** ***** *** *** ***** ********, ** *** **** first **** *** *** **** ********** ** *** ******, **** not ******** ***** **** ******. **** *** ** **** ** an ******** ** ****** *********** **** **** ** *** ******** field, *** ******* * ****** ******** ** *** ****** **** that ********* *** *****.

****** ********* *** ** ********* ** ***** ** ******** ** disable *** ******, **** **** ******, ** ********* ********** *** unit. ******* **** ************* ****** ** *** ***** **** ******, no ************** ** ******** ** ******* **, *** *** ****** with ****** ****** ** ** **** ** *******.

*** ****** **** **** ***** *** ******** ****** * ****** ago, ** *** *** ** ***.

Models ********

***** ***** ** ****** **** *** ******** *** **** ***** has ******** * ******** ***, *********:

*******, ** ** *** ***** *** **** ***** ****** *** impacted. *** *******,***** **** **********, **** ****** *****, ** ******* *******, **** ***** *******, part ******* *** ******* *** *** **** *********** ********. ********, as *** ***** **** *** ***** ********, ***** ***** ****** code ****** ******* *****, **** ***** ****** ***** ** ********.

No ********** / ** ******

***** *** **** ** ******** ********** *** ****** ** **** disclosure, ***** ** ******** ** ***** ******* ** ** ******* below *** *****'* ***********.

**** *** ******* *** ** ******** ******** ** ***** *** has ******** ** **-***-****** ******** ***** **** ****** *************

Fix **********

*** *** **** ************* ****** ******** * **** ** ******** on *****'* ************* **** **** ***** *** *** *************. *** that ****, *** **** ** *****'* ************* ***** *** ****, returning *** ******:

******: ***** ** *****, *** **** / ***** *** *** active.******** ******** ** *** *** ************* ****.

*****'* ***** ******* ******* ** **********, *** *** ** ********* to **** *************, *** **** ************* ****** ***** **** ***** 2017:

**** *** ******** ************* ******* **** **********, ** ** **** listed ** ****** ******* ***** ***** *** **** ****** ********.

Researcher **********

*** **** ******* *********** *****, ** ***** ******** ************ ************, *** **** ******** (** ****/*********** *****) **** *** ********* of *** *************. ******** ************ ******* ** ******* ********** ******* of *** *************.

Violates ******** *********

*** **********, **** ** *** **** *** ********* **** ******* vulnerabilities:

*********'* ******* ************** ***** ********** ***** **** ****** *************, *** ***** ** firmware *******:

**** ******** ******* ** ***** ***************, *** ***** ** ********, on ************ ************:

**** ** ***** ******** ** *****'* **** ** ***************, **** of ********, *** ** *** **** ** **** ***********, **** of **** ********** ********.

******

*** ******* ** **** ***** ********* ** **** ** ********* poor ***** ******, **** **** ******* *************** *** **** ******* to ******** ****** *** ****** ***** *********. ** **** ***, we ** *** *** **** ********* ***** **** *****, ** some *****, **** ** ******** ** ***** *** *****. *******, it **** **** *** ********* ** ********* ***** ** ** acknowledge *************** **********, *** ******* ******** **** ********* *** *****.

Vote / ****

******

****** **** ****:***** *** *** ****** * ***** ********* *** ******* ************* *** *************, ****** ** **** ******* 4 ** ***** ****** *** **** * ******** ******* ** not *** *********:

***** *** ******** ** ***** **** *** **** *** ****, this *** *** **** ** ***** ******* ***** *** ****. The ************* *** ****** ******** ** **** **** **** *** the **** ****** **** ***** *** ******** ** *** **.

***** ** ***** ** ******** ** ****** ** *** ***** International ******* ***** ******* ** ***** ******** *******.

Comments (34)

***** ** *** **** ******* **** *** ******** ****** ** the ****** **** ***** ** **.

**** ** * ******* **** ****** ~$* ******* ** ****** revenue, **,*** ** ** ********* *** ********** ***** ** ** even *** ****** *****.

***** ****** **** *** ******* ****** ******* ***** ** ******* they ****** **** *** *********** ********** ** ******* ******* **.

* ***** *** ******* ******* ** **** *** *** ******** poor ** ** *** ********** ******** ********.

* ***** *** **** ***** ** ** - **** ** you ***** ** ***** ******** *** ********?

******: "**** ** *** ***** **the ******* ** Dahua security and response?".

***'* **** ** ***** *** ****** ***** ** ** *************** found ** ** ******* *** ** *******. **** ** *** nature ** * ******** ***** ******* *** *** *** **** people *** ***** **** ** **** ***** *** ***** *********** harm. ******* *** *************** *** ********** ** *** ************ ** a ***** *** ****** *** **** ** **** ********** ** safe ** ********. *** **** ******** *** *** ********* ** a ************, *** * ***'* **** ***** *** ******, ** how **** ****** *** ********* *** *** **** **** ****** the *********. ************* **** ** **** ***** *** ***** **** their ** ** ***** *** ******* *** ********** **** **** of *** *****. ** ** **** ** **** ********* ******** want-to-be ********* *** ****** ***** *********, ** ******* ** ******** IP ****** ************. * ***** ********* *** ****** **** ** these ********* ***'* **** ** ******* ******* *** *********** ** due ** *** **** **** ****'* ******** *** ************* ********** and ***'* **** ***** **** ****'* ** **** ******** ******* and **** **** *** **** ***** **** *** ***************. ***'* face ** *** **** ******** *********, ** ** *** *** own **** ******* **** ***** *** *** *** ***.

*******, * ***** **** *** ***** *** ********** ** ********** "******* *** **********".

*******, * **** ***** **** *************** ****** ** ********* ***** on *** *********** *** **** **** *** ** *******. **** Dahua, **** ** * *** **** ** *** *****. ***** recent *************** **** ** ** ***** ****** **** ******* ****** skill ** *******. **** ***** **** **** ********* ** **** as ****** ** **** *********** ******** **** *****'* ******** **** vulnerabilities **** *** ******* ** ******* ** **** ********* **.

****** ***** *** ** *********** *********. * ********* ** ***** about *** ******** ******** *** *** **** * ***** ** to *** ** ** **** ***** ******** * *** *** I *** ********** ******* ** *** * *** ******** ** do **. ** ***** *** ****** ***** ****** ** ***'* something **** ***** ** ****** ***** ********* ** ** **** average ******** ****.

* ********* ** ***** ***** *** ******** ******** *** *** what * ***** ** ** *** ** ** **** ***** products * *** *** * *** ********** ******* ** *** I *** ******** ** ** **.

*****,**** ** *** ****** ** *** / ******* *** ***** backdoor. **'* ****** ** ****** *** **'* ***** ******** ******* to ***. **'* *** **** *** ** **** ** *********** on ******** ******** ****.

** ***'* ********* **** ***** ** ****** ***** ********* ** by **** ******* ******** ****

*** ******* *********, ** **** ****** ******, ***** ***** *** clearly ******** *********, ***** ****** **** ********* ** **.

***** ********. ******** ************** ** ***** ** * **** ***** mistake ** **** :(

***

** **** ******** **** * **** **** ******* ** **** this ** ******* ** ***** **** *** ****** ***** *******, when ** ***** **** *** ***** ** ***** ** *** last **** *** * ****.

**** ** *****'* ****** ************* **** * **.* **** *****, and **** *** ****** *** **** ****. *** ******** ***, the***** *********** *********** **** ********, ** ** *** ********** **** ** exploit, ******** * ***** ****** ** *******, *** **** ******** sensitive **** (*********).

**** ******* ******** ********** ***** ***************, ***** ** **** ****** ** *********** ******* *********** ****.

...*** ***** ***** *** *** ***** ********, ** *** **** first **** *** *** **** ********** ** *** ******, **** not ******** ***** **** ******...

**** ** *****'* ****** ************* **** * **.* **** *****, and **** *** ****** *** **** ****. *** ******** ***, the ***** ********...

**** **** *** **** ** *** ***** *********...

*****'* ****** ************* ****, ********* *** ******** *** ****, *** been **** ** ***** * ***** ***.

*** *** **** ***** *** ****** ** ** *** ******* it *** **** ************* ** ****** **** **** ** ****** find / ****** *** *****.

********** **** **** *** ** *** ** ** **** ** comprehend *** * ******** ****** ********** ******* ***** **** **** issues.

******: ***** (** *****) ** *****, *** **** / ***** are *** ******.******** ******** ** *** *** ************* ****.

****** ** ******* ****** *** ****** ******** ;)

******. **'** ***** ******* ****** *** *** ********. *** ******!

**** ********** - *'* *** ******** * ****** ********...

** ***** ********** *** ********* ** ********, ** **** ** Sonia ******* **** *** ** **** ******** ** **** ******** chipset ******. *'** *** **** **** * *** *** ** in ** *** ****.

****, ** **** ** ***** ******* ** *** ******** *******, this ** *** ****** *** *** ********* (***** ** ******* in * ********* ********** ** *** ********)...

*** **** *********** **** ********** *** ******** ******?

***** ** *** ** *** *********, **** *** **** **** I've ****. *** * ************ ***** **** ** **'* *** the **** ******* ****** *** ** ****.

****, **** ******** ******* **** ******* ** ******** ****...***** *'** sold **** *-* ** ** * ***** ****? *****'* **** like **'** ****** *** **** ******** *******...** ***

**** *** ******* ** **** ******* ********* *** *****, * would *** ** ********* ** *** **** ***** ** ****. I ***** *** **** *** ** **** *** ** **** is *** ****, ** ** *** **** ******* *** ** exploit *** ** *****, ** **** ** *** ** ********* FW ******* *** *** ** ****** **** *****. ******** **** that *** *********** **** ******* **** ******** ************* **** ** the ****** **** ***** ******.

**** *** ******* ** **** ******* ********* *** *****

#*, ******. *** *** ********* ** **** '*********' *** '*****' are *** *** **** ****** / ******?

**,

********* *** ***** ** *** *** **** ******** **** *****'* devices, ***** *** ********** ** **** (**** ** ****) *** naming ** *** ******** ******, ********* **** "*******" **** **** been ******* *** ******** ***.

**** **** ****** ** ****** *** ******, ****/***** ******, *****, RTSP, ***** *******... ***, ** ***** - **'* *** *** binary **** ****** ****** ********** ********* ********** ******** *** ********.

*** *********** ***** **, **** **** *** ***** **** ****** code *** *** ******** *** ********* "*******" ** ************ (***/****... or ********), *************** ***** ** *** ************/******* *** **** ****** to ***** ** *** ****** ** **** (*'**).

**** ** *** **** **** ******** ********, ** ********* * ***** *** ** ********* **** **** flaw ***** ** **** ********* *** *****, *** ** ************ exploited *** **** ****** **** (** *** *********/***** ******** **** as ****).

*******, ***** ***** ** * ********** ** *** **** **** for ******** - ***** *** **** **** *****, *** ***** exist ***** ********* *) ******, *) ***** ***** **** *** 3) ***, *** ** ***** ****** **** ***** ** ******** who ******* "***", *** **** ***** ****** **** *** ********** devices.

******, **** ***** **** * *** ** **** *** "*****" binary.

~ # ** ** | **** *****
*** **** ***:** /***/***/***** ****
*** **** *:** **** *****
~ #

~ # ******* -*** | **** *****
*** * * *.*.*.*:***** *.*.*.*:* ****** ***/*****
*** * * ***.*.*.*:**** *.*.*.*:* ****** ***/*****
*** * * ***.*.*.*:**** *.*.*.*:* ****** ***/*****
*** * * *.*.*.*:**** *.*.*.*:* ****** ***/*****
*** * * :::*** :::* ****** ***/*****
*** * * :::** :::* ****** ***/*****
*** * * :::***** :::* ****** ***/*****
*** * * :::***** :::* ****** ***/*****
*** * * :::*** :::* ****** ***/*****
*** * * *.*.*.*:***** *.*.*.*:* ***/*****
*** * * *.*.*.*:***** *.*.*.*:* ***/*****
*** * * ***.***.***.***:**** *.*.*.*:* ***/*****
*** * * *.*.*.*:**** *.*.*.*:* ***/*****
*** * * *.*.*.*:***** *.*.*.*:* ***/*****
*** * * *.*.*.*:***** *.*.*.*:* ***/*****
*** * * ***.***.*.**:***** *.*.*.*:* ***/*****
*** * * ***.***.***.***:***** *.*.*.*:* ***/*****
*** * * *.*.*.*:***** *.*.*.*:* ***/*****
*** * * ***.***.*.**:**** *.*.*.*:* ***/*****
*** * * ***.***.***.***:**** *.*.*.*:* ***/*****
*** * * *.*.*.*:**** *.*.*.*:* ***/*****
*** * * *.*.*.*:**** *.*.*.*:* ***/*****
*** * * ***.***.***.***:***** *.*.*.*:* ***/*****
**** * [ ] ***** *** ***/***** /***/***/**************-******
**** * [ ] ***** ***** ***/***** /***/***/************-*

******! **** *******.

***, ******** *******, ** *** ******** ****************:

***** (*** *****) *** ***** (*** ******/********) ** **** *** name ** * ****** **** **** ******** **** *** *** and *** ***/*********** ********* ** *** ***/***/***.

**** **** **** *********** ** *****. ** *** ***** ***** is * ***** ***** ** ******* *** ********? *** *** sense ** **** *** ******* **** **?

**** ***********, ***** **** **** ** ** **** *********, ***** and ***** ***** **** ****.

*** *** ** *** ******** ***** ** "*** ********" ********* Hikvision, *** - **** **** ** **** *** ****** **** provides **** ******** (***** *******), *** ** ******** ** **** Dahua *********/***** *** ********* *******, * **** *** ***** **** davinci ***** **** **** ** *********/***** - *** ****** *** quite **** ** ***** **** ********* **** **** ***, ** maybe **** **** ** *** **** ******* **** *** (*********** now, ** * **** *** ***** ** *** *** *** binary *** ******** *** ******** ******* - *** **** ***).

*** **** ** ****** **** * ********* ***.

# # ******* -***
****** ******** *********** (******* *** ***********)
***** ****-* ****-* ***** ******* ******* ******* ***** ***/******* ****
*** * * *.*.*.*:** *.*.*.*:* ****** ***/********
*** * * ***.*.*.*:***** *.*.*.*:* ****** ****/********
*** * *** ***.***.*.**:** ***.***.*.***:***** *********** ****/********
*** * * :::**** :::* ****** ***/*******
*** * * :::*** :::* ****** ***/*******
*** * * :::** :::* ****** ***/*******
*** * * :::** :::* ****** ***/********
*** * * ::*:***** :::* ****** ****/********
*** * * :::*** :::* ****** ***/*******
*** * * *.*.*.*:***** *.*.*.*:* ***/*******
*** * * *.*.*.*:**** *.*.*.*:* ***/*******
*** * * *.*.*.*:***** *.*.*.*:* ***/*******
*** * * *.*.*.*:**** *.*.*.*:* ***/*******
*** * * *.*.*.*:**** *.*.*.*:* ***/*******
*** * * :::*** :::* ***/*******
*** * * :::**** :::* ***/*******
*** * * :::***** :::* ***/*******
*** * * :::**** :::* ***/*******
*** * * :::***** :::* ***/*******
*** ***** * :::** :::* ** ***/*******

** * ****** **** *** **** *** **** **** ********* or **** **** ** ** **** **** **** *************. *****?

****, **** **** ******* ******* *****? *** ****.

** * ****** **** *** **** *** **** **** ********* or **** **** ** ** **** **** **** *************. *****?

***, ** ***** ** ** ****** ****** ** *** *** interface ** *** **** **** *** ****** ** **** **** this ************* ***** ******** ********.

****, **** **** ******* ******* *****? *** ****.

**** **** ****** ******* **** **** * ***** ************* ** your ******* *** ***** ** ** *****. ** ** ******** gains ****** **** ******* ******, **** **** *** *** **** vulnerability ** **** ****** ** *** *****, **** *******, ***.

***, ** ***'* ** ******** ** **** ******* *** ******** remotely **********, *** *** *******'* **** ****** **.

**'* *** ******** ** *** ** **** ******** ******. *** when *** *** ** *** ****** *** *********** *** ***'* give * **** ******* ** **** *********... **** **** ** just ***** *************. **** **** ***** *** ******, **** **** has ***** **** **** *** *********. ***** ***, **** ****, this *** ***** ****** ** ***** ************* ** * ***** period ** ****.

**** ******* * ***, **** ******* ***** *** ******* ***** help ********* **** ***** ******* **** ******, ** ***** ****** them * ******.

******* * ***** *** ** ********* ********** *****'* **** ** go ****.

*** *********.

******:***** *** *** ****** * ***** ********* *** ******* ************* *** *************, ****** ** **** ******* 4 ** ***** ****** *** **** * ******** ******* ** not *** *********:

***** *** ******** ** ***** **** *** **** *** ****, this *** *** **** ** ***** ******* ***** *** ****.

***** ** ***** ** ******** ** ****** ** *** ***** International ******* ***** ******* ** ***** ******** *******.

* ***** ****'* **** ******* *** ******** ******** ** ******* models. *** **** ****** *** ******** ***'* "*********" ** ******** because **** ****'* ******* ** **** ******* **** ***.

*** ****** ****** ** *** ***** ********* *** *** ***** complete/international **** *** **** **** *** *** ******** (******* **** the ******* *** ********* ** ** **********).

*** **** ****** *** ******** ***'* "*********" ** ******** ******* they ****'* ******* ** **** ******* **** ***.

*********** **** ************* *** *** **** ****** *** ** ****, Dahua ****** **** *** *** **** ******* ********* ** *** same ****, ** ****** * ***, ** *** *** *******.

***, **** *** **** ***** *** ****, **?

*** **'* **** ****... **********!

**, ** ** ***** *** * "*******" ******** ********... *** many ****** ***** ** **** ** **** ***** ** *** of ***** ****** ********* ** ***** *** *** ********???

***** *** ****** *** ********?

**** ***** **** ** *****...

***** ****** * ****** ***** *** ******** **** ** ************* series **** *****, ** * ********** **** *** ***** ***** was *** **** ****** ************* ** ******** ************ ***** ******************.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

ADT And 'The Defenders' Silent About Massive Complaints on Feb 14, 2019
ADT's largest dealer, "The Defenders" has been the subject of a massive number of complaints over many years and many forums, most recently a CBS...
Spring 2019 IP Networking Course on Jan 10, 2019
You can register for the Spring 2019 IP Networking course here. This is the only networking course designed specifically for video surveillance...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates? Earlier in 2018, a...
Scam Research And The $86 Billion IP Camera Market on Dec 19, 2018
Scam. The most widely cited research numbers in many, if not most, industries come from a growing number of Indian 'market research firms'. We...
No GDPR Penalties For UK Swann 'Spying Hack' on Nov 20, 2018
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no...
Axis: "No One Wants To Buy A Camera" on Nov 09, 2018
Axis has, in its own description, made a bold declaration: The industry is changing so rapidly that the following statement might seem bold but...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...
"New Zealand Govt Uses Chinese Cameras Banned In US", Considers Security Audit on Oct 12, 2018
Newsroom NZ has issued a report: "NZ Govt uses Chinese cameras banned in US": This comes after the US federal government banned purchases of...
China Hacks Video Servers Causing Uproar on Oct 05, 2018
An incident causing an international uproar is hitting home in the video surveillance industry as a Bloomberg report, "The Big Hack: How China...

Most Recent Industry Reports

From The Basement To Buried Behind Chinatown: ISC West Emerging Technology Zone on Feb 22, 2019
What does ISC West think about 'Emerging Technology'? Well, last year, they put those companies in the basement. This year, they moved them up to...
Private School IT Manager Surveillance Interview on Feb 22, 2019
This IT manager describes himself as the "oft-maligned IT person" whose "opinions may not always be appreciated by the integrator crowd." But he is...
Outdoor Camera Mounting Hardware Guide on Feb 21, 2019
Mounting cameras outdoors can be challenging, requiring understanding different types of equipment and methods. In this guide, we teach this...
HID Favorability Results 2019 on Feb 21, 2019
HID favorability results were strong, in the 2019 IPVM integrator study of 200+ integrators, with a net +62% and low negativity as the table below...
First US State, Vermont, Bans Dahua and Hikvision on Feb 21, 2019
The first US state, Vermont, has issued a ban on a number of Chinese and Russian manufacturers including the world's 2 largest video surveillance...
ADI 'SAVE BIG' On FLIR And Hikvision Examined on Feb 20, 2019
One is a major US defense supplier. The other is owned by the Chinese government. But you can "SAVE BIG" on both at ADI. In this note, we...
BluB0x Company Profile on Feb 20, 2019
BluB0x has doubled in revenue every year since its founding in 2013, according to CEO Patrick Barry. We originally reported on them in 2015. At the...
Massive Leak Of Chinese VMS Provider Exposes Xinjiang Surveillance on Feb 20, 2019
A subsidiary of China’s claimed largest VMS provider is tracking the precise location and ethnicity of millions in China’s Xinjiang region,...
Security Installation Tools Guide - 22 Tools Listed on Feb 19, 2019
In this guide, we cover 22 tools that security installers frequently use. This is one part of our upcoming Video Surveillance...
Sales Cuts At Rasilient on Feb 19, 2019
Over the past 2 years, video surveillance storage specialist Rasilient has expanded its workforce significantly, aiming to build its own branded...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact