Ticker

6/recent/ticker-posts

List of Dahua Devices that have Security Flaws

Security Advisory - Identity authentication bypass vulnerability found in some Dahua products

Dahua has disclosed two new vulnerabilities in its firmware discovered by security researcher bashis, who discovered in 2017 a security flaw that allowed access through the web port with administrator permissions without the need for an account User code valid on the equipment in 2nd and 3rd generation equipment.

Dahua Devices that have Security Flaws

These two new security flaws can allow an attacker to use malicious data packets to bypass authentication during the login process to a device connected to the Dahua cloud (P2P), allowing an attacker to connect to a device with administrator permissions without having valid credentials.

The problem in 2017 affected devices that had the web port open to allow access from outside the network, but this time it will affect all devices connected via P2P, which is now the vast majority of dahua equipment. "There is potentially a very high risk of another massive hack of Dahua devices due to this authentication bypass - no valid credentials are required to obtain administrator permissions on the device," Bashis writes.

The technical details of the vulnerabilities ( CVE-2021-33044 and CVE-2021-33045 ) will not be made public until 6 / Oct / 21, so it is necessary to update the firmware of all those computers that may be vulnerable.

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.


Common Vulnerabilities and Exposures CVE ID ):


CVE-2021-33044; CVE-2021-33045


Vulnerability Score


The vulnerability classification has been performed by using the CVSSv3 scoring system ( http://www.first.org/cvss/specification-document ).


Base Score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)


Temporal Score: 7.3 (E:P/RL:O/RC:C)


Affected Products & Fix Software :


The following product Series and models are currently known to be affected:


list of dahua devices vulnerable to security


list of dahua devices vulnerable to security

The list of vulnerable devices is long, and includes firmwares with a compilation date up to June 2021. The latest firmwares can be downloaded from the download section of the Dahua website. Any firmware dated after July 2021 will not be affected.

Post a Comment

0 Comments