Two authentication bypass vulnerabilities exist in unpatched Dahua cameras, and a proof-of-concept exploit released on 7th October makes the case for upgrading urgent. Both CVE-2021-33044 and CVE-2021-33045 are authentication bypass weaknesses that can be remotely exploited during the login process by sending specially crafted data packets to the target device.
This comes a month after Dahua issued a security advisory urging owners of vulnerable models to update their firmware, but given how often these devices are forgotten after initial setup and installation, it's possible that many of them are still running an old and vulnerable version. The list of impacted models is long and includes several Dahua cameras, including some thermal cameras.
IPVM confirmed in 2019 that numerous Dahua cameras had a wiretapping vulnerability, based on tests and information from Dahua. Even if the camera's audio was turned off, an unauthenticated attacker could still listen in.
An emergency investigation was conducted by the Dahua Security Team and the R&D Team, with the following preliminary findings:
• Unauthorized download vulnerability in video chat - This vulnerability no longer exists after code reworking because the relevant functional modules were refactored. Some EOL products would have posed a threat to security.
• Replay attack vulnerability: This was a newly discovered vulnerability that had affected several Dahua products.
Dahua spokesperson Tim Shen said, "Dahua uses the secure login authentication method “Digest” by default, but in order to be compatible with early devices, we also retain support for the login authentication method with insufficient security. This vulnerability just exploits these insecure login authentication methods."
The flaw was initially reported to Dahua in May of 2019. Tenable Research Engineer Jacob Baines discovered a vulnerability within an Amcrest (Dahua OEM) camera's firmware (PoC here, CVE-2019-3948), allowing unauthenticated access to the audio stream.
The Chinese surveillance camera provider Dahua Technology has been barred from doing business and selling products in the United States since October 2019, when it was added to the US Department of Commerce's 'Entity List.' However, tens of thousands of Dahua cameras are still in use around the country, and some of them may not be readily apparent. Many cameras marketed in the United States under American or Canadian brands use Dahua hardware and even software, according to a new revelation from The Intercept.
