Overview
Dahua Technology, a well-known security camera and digital video recorder (DVR) vendor in China, released firmware updates to address serious security vulnerabilities for several of their products. By exploiting this vulnerability an attacker can access the user database of a Dahua camera without needing administrative privileges and extract the user name and password hash.
Then the attacker can directly use the user name and password hash to login to the device and obtain related privileges and other forms of data. Additionally, a security researcher that goes by the name Bashis claimed that the vendor Dahua had intentionally included a backdoor in a few of their product lines which prompted the researcher to publicly disclose his findings prior to informing Dahua Thechnology.
As per Dahua Technology’s official statement the following models are affected:
- DH-IPC-HDW23A0RN-ZS
- DH-IPC-HDBW23A0RN-ZS
- DH-IPC-HDBW13A0SN
- DH-IPC-HDW13A0SN
- DH-IPC-HFW13A0SN-W
- DH-IPC-HDBW13A0SN
- DH-IPC-HDW13A0SN
- DH-IPC-HFW13A0SN-W
- DHI-HCVR51A04HE-S3
- DHI-HCVR51A08HE-S3
- DHI-HCVR58A32S-S2
NSFOCUS Threat Intelligence’s Analysis on the Global Impact of This Vulnerability
According to our statistics, the number of worldwide devices with this vulnerability reaches 1,140,446. The following illustration denotes the geographic locations of the compromised assets:
Top 20 countries hosting the majority of vulnerable devices are shown below:
Nationwide Distribution of Vulnerable Devices in China
Our statistics reveal that there are 108,205 devices in total affected by this vulnerability in China. The following figure shows the distribution of these vulnerable devices in different provinces.
The following figure shows top 10 China provinces and municipalities with the most vulnerable devices.
Vulnerability Analysis
Prerequisites for Vulnerability Exploitation
As shown in the following figure, after accessing a specific device by typing its IP address in the address bar the attacker can obtain all data of the user database including sensitive user names and hashed passwords for device access. For the sake of security sensitive information is obfuscated:
Vulnerability Exploitation
The hashed passwords do not need to be cracked before being used to log in to the device to obtain access and related privileges as depicted in the following figure:
After device login the attacker can view and modify its configurations such as the admin password. Additionally, after such remote login the attacker can directly obtain sensitive information such as images stored on the device posing serious threat to users’ privacy.
Vendor Solutions
Dahua Technology has identified 11 models affected by this vulnerability and has since released firmware updates. Users should check their models against the following table and upgrade their devices as soon as possible.
| DH-IPC-HDW23A0RN-ZS | Download |
| DH-IPC-HDBW23A0RN-ZS | |
| DH-IPC-HDBW13A0SN | Download |
| DH-IPC-HDW13A0SN | |
| DH-IPC-HFW13A0SN-W | |
| DH-IPC-HDBW13A0SN | Download |
| DH-IPC-HDW13A0SN | |
| DH-IPC-HFW13A0SN-W | |
| DHI-HCVR51A04HE-S3 | Download |
| DHI-HCVR51A08HE-S3 | Download |
| DHI-HCVR58A32S-S2 | Download |
Technical Solutions
If you are not sure whether your devices are affected by this vulnerability you may use the following NSFOCUS security devices: NSFOCUS Remote Security Assessment System (RSAS V5 or V6), Web Vulnerability Scanning System (WVSS), or ICS Scanning System (ICSScan V6.0) to detect this vulnerability.
You should upgrade your devices to the latest version by downloading upgrade packages from the preceding links before using them to detect vulnerabilities.
Remote Security Assessment System (RSAS V6):
http://update.nsfocus.com/update/listRsasDetail/v/vulweb
http://update.nsfocus.com/update/listRsasDetail/v/vulsys
Web Vulnerability Scanning System (WVSS):
http://update.nsfocus.com/update/listWvssDetail/v/6/t/plg
ICS Scanning System (ICSScan V6.0):
http://update.nsfocus.com/update/listICSScanDetail/v/vulsys
Use NSFOCUS’s protection product (NIPS, NIDS, NF, or WAF) to protect against the exploitation of the vulnerability.
Network Intrusion Prevention System (NIPS):
http://update.nsfocus.com/update/listIps
Network Intrusion Detection System (NIDS):
http://update.nsfocus.com/update/listIds
Next-Generation Firewall (NF):
http://update.nsfocus.com/update/listNf
Web Application Firewall (WAF):
http://update.nsfocus.com/update/wafIndex
Conclusion
This vulnerability exists solely in part due to Dahua Technology’s negligence and efforts conducted on behalf of the company’s engineering management. It permits for authorized account access and database download of user and customer information without administrative privileges.
After obtaining sensitive information such as user-names and passwords an attacker can remotely log into the device thus posing a serious threat to a users’ privacy and PII (Personal Identifiable Information).
NSFOCUS determined that this particular exploit can be accomplished rather easily posing detrimental impact to the users device and PII.
For additional details about attack vector please visit the following links:
https://ipvm.com/reports/dahua-backdoor?code=bash
http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.php#none
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
http://www.nsfocusglobal.com.
