DHCC-SA-201711-003:Security Advisory – Admin password recovery mechanism in some Dahua IP Camera and IP PTZ could lead to security risk

2017-11-10

SA ID: DHCC-SA-201711-003

First Published: November 10, 2017

Summary:

Customer of Dahua IP camera or IP PTZ could submit relevant device information to receive a time limited temporary password from Dahua authorized dealer to reset the admin password. The algorithm used in this mechanism is potentially at risk of being compromised and subsequently utilized by attacker.

CVE ID: CVE-2017-9315

Vulnerability Score (CVSS V3.0 http://www.first.org/cvss/specification-document):

Base Score: 7.6(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L)

Temporal Score: 7.1(E:F/RL:O/RC:C)

Affected Products & Fix Software:

“Fix Software” replaced the password recovery mechanism with a more advanced and secured approach. Please check the document in the following link for details. http://www.dahuasecurity.com/asset/upload/download/Initialization_and_password_reset_for_networking_cameras_V1_EN_20171109.pdf

IP Camera:

Affected Model

Version

Fix Software

IPC-HFW1XXX

IPC-HDW1XXX

IPC-HDBW1XXX

Versions Build between 2015/07 and 2017/03

DH_IPC-HX12XX-Eos3_Eng_P_V2.420.0000.11.R.20170620

DH_IPC-HX12XX-Eos3_EngSpn_N_V2.420.0000.11.R.20170620

DH_IPC-HX1XXX-Eos3_Eng_P_V2.420.0000.11.R.20170612

DH_IPC-HX1XXX-Eos3_EngSpn_N_V2.420.0000.11.R.20170612

DH_IPC-HX1X2X-Themis_Eng_P_V2.620.0000002.0.R.170830

DH_IPC-HX1X2X-Themis_EngSpn_N_V2.620.0000002.0.R.170830

DH_IPC-HX1X2X-Themis_Eng_P_V2.620.0000002.0.R.170830

DH_IPC-HX1X2X-Themis_EngSpn_N_V2.620.0000002.0.R.170830

DH_IPC-Consumer-Zi-Themis_Eng_P_V2.400.0000000.16.R.20170831

DH_IPC-Consumer-Zi-Themis_EngSpn_N_V2.400.0000000.16.R.20170831

IPC-HFW2XXX

IPC-HDW2XXX

IPC-HDBW2XXX

IPC-HFW4XXX

IPC-HDW4XXX

IPC-HDBW4XXX

DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.620.0000002.0.R.170830

DH_IPC-HX4X2X-Themis_EngSpn_N_Stream3_V2.620.0000002.0.R.170830

DH_IPC-HX5X2X-Themis_Eng_P_Stream3_V2.620.0000002.0.R.170830

DH_IPC-HX5X2X-Themis_EngSpn_N_Stream3_V2.620.0000002.0.R.170830

DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000000.16.R.20170904

DH_IPC-HX5X3X-Rhea_EngSpnFrn_N_Stream3_V2.460.0000000.16.R.20170904

IPC-HF5XXX

IPC-HFW5XXX

IPC-HDW5XXX

IPC-HDBW5XXX

IPC-HF8XXX

IPC-HFW8XXX

IPC-HDBW8XXX

IPC-EBW8XXX

IPC-PFW8xxx

IPC-PDBW8xxx

IPC-HUM8xxx

PSD8xxxx

DH_IPC-HX8XXX-Nova_Eng_P_Stream3_V2.600.0000.14.R.20170830 DH_IPC-HX8XXX-Nova_EngSpn_N_Stream3_V2.600.0000.14.R.20170830

DH_IPC-PFW8XXX-Nova_Eng_P_Stream3_V2.460.0000.10.R.20170802

DH_IPC-PFW8XXX-Nova_EngSpn_N_Stream3_V2.460.0000.10.R.20170802

DH_IPC-HX8XXX-Nova2_Eng_P_Stream3_V2.600.0000.2.R.20170809

DH_IPC-HX8XXX-Nova2_EngSpn_N_Stream3_V2.600.0000.2.R.20170809

DH_IPC-HX8XXX-Nova2_Eng_P_Stream3_V2.600.0000.3.R.20170830

DH_IPC-HX8XXX-Nova2_EngSpn_N_Stream3_V2.600.0000.3.R.20170830

IP PTZ:

Affected Model	Version	Fix Software
DH-SD2XXXXX	Versions Build between 2015/07 and 2017/03	DH_SD-Mao-Themis_Eng_P_Stream3_IVS_V2.600.0000.0.R.20170601.zip DH_SD-Mao-Themis_EngSpn_N_Stream3_IVS_V2.600.0000.0.R.20170601.zip
DH-SD4XXXXX		DH_SD-Mao-Rhea_Eng_P_Stream3_IVS_V2.600.0000.2.R.20170905.zip DH_SD-Mao-Rhea_EngSpnFrn_N_Stream3_IVS_V2.600.0000.2.R.20170905.zip
DH-SD5XXXXX		DH_SD-Eos_Eng_P_Stream3_V2.600.0000000.10.R.170906.zip DH_SD-Eos_EngSpnFrn_N_Stream3_V2.600.0000000.10.R.170906.zip
DH-SD6XXXXX		DH_SD-Yin-Demeter_Eng_P_Stream3_Intelligent_V2.600.0000000.1.R.170823 DH_SD-Yin-Demeter_EngSpnFrn_N_Stream3_Intelligent_V2.600.0000000.1.R.170823 DH_SD-Mao-Nova_Eng_P_Stream3_V2.600.0000.3.R.20170717 DH_SD-Chen-Nova_EngSpnFrn_N_Stream3_V2.600.0000.3.R.20170717 DH_SD-Chen-Nova_Eng_P_Stream3_V2.600.0000.3.R.20170717 DH_SD-Mao-Nova_EngSpnFrn_N_Stream3_V2.600.0000.3.R.20170717 DH_SD-Chen-Nova_Eng_P_Stream3_V2.600.0000.4.R.20170808 DH_SD-Chen-Nova_EngSpnFrn_N_Stream3_V2.600.0000.4.R.20170808 DH_SD-Eos_Eng_P_Stream3_V2.600.0000000.13.R.170928 DH_SD-Eos_EngSpnFrn_N_Stream3_V2.600.0000000.13.R.170928 DH_SD-Eos_Eng_P_Stream3_V2.600.0000000.10.R.170906.zip DH_SD-Eos_EngSpnFrn_N_Stream3_V2.600.0000000.10.R.170906.zip

Fix software download:

Please download the corresponding fix software (or its newer version) as listed in the above table from Dahua website. Customers can also contact Dahua local technical support to obtain the fix software

Support Resources

Dahua technical team will be available to advise and support the upgrade process. For any questions or concerns related to cybersecurity, please contact Dahua at psirt@dahuatech.com

We acknowledge the support of Kenny Lu from Trend Micro working with Zero Day Initiative (ZDI) who discovered this vulnerability and reported to Dahua PSIRT

All Products

Key Technologies

Virtual Innovation Center

Solutions by Industry

SMB Solutions by Scenario

SMB Solutions by Application

SMB Solutions by Application

Solution

Support

Partner

News & Events

About Us

DHCC-SA-201711-003:Security Advisory – Admin password recovery mechanism in some Dahua IP Camera and IP PTZ could lead to security risk