PoC exploit for 2 flaws in Dahua cameras leaked online

A proof of concept exploit for two authentication bypass vulnerabilities in Dahua cameras is available online, users are recommended to immediately apply updates.

Experts warn of the availability of proof of concept (PoC) exploit code for a couple of authentication bypass vulnerabilities in Dahua cameras, tracked as CVE-2021-33044 and CVE-2021-33045

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

A remote attacker can exploit both vulnerabilities by sending specially crafted data packets to the vulnerable cameras.

“The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.” reads the advisory published by the vendor in early September.

dahua

The flaw received a CVSS v3 score of 8.1, the vendor recommended its customers to install security updates.

The list of affected models is very long, it includes IPC-X3XXX,HX5XXX, HUM7XX, VTO75X95X, VTO65XXX, VTH542XH, PTZ Dome Camera SD1A1, SD22, SD49, SD50, SD52C, SD6AL, Thermal TPC-BF1241, TPC-BF2221, TPC-SD2221, TPC-BF5XXX, TPC-SD8X21, TPC-PT8X21B, NVR1XXX, NVR2XXX, NVR4XXX, NVR5XXX, NVR6XX.

It could be quite easy for threat actors in the wild to find exposed Dahua devices using a search engine like Shodan and attempt to hack them using the available PoC code. In order to protect Dahua devices, users have to install the latest firmware version.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Dahua cameras)

The post PoC exploit for 2 flaws in Dahua cameras leaked online appeared first on Security Affairs.

By admin