DHCC-SA-201711-004:Security Advisory – High risk vulnerability found in Dahua IPC-HDW4300S and some IP products

2017-11-18

SA ID: DHCC-SA-201711-004


First Published: November 18, 2017


Latest Update: November 23, 2017


Summary:

Firmware upgrade authentication bypass vulnerability was found in Dahua IPC-HDW4300S and some IP products. The vulnerability was caused by internal Debug function. This particular function was used for problem analysis and performance tuning during product development phase. It allowed the device to receive only specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution.


CVE ID: CVE-2017-9316


Vulnerability Score (CVSS V3.0 http://www.first.org/cvss/specification-document):


Base Score:7.5 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H)

Temporal Score:6.7 (E:P/RL:O/RC:C)


Affected Products & Fix Software:


Within the first 24 hours after identifying the risk, Dahua has screened all actively shipping products against this vulnerability and found all products shipped after June 2017 are not affected. The screening of products shipped with firmware released between 2016 July and 2017 June identified the following affected products.


Affected Model

Firmware Version

Fix Software

IPC-HDW4300S

DH_IPC-HX5(4)XXX-adreia_Eng_N_stream3_V2.240.0009.0.R.20131015
DH_IPC-HX5(4)XXX-adreia_Eng_P_stream3_V2.240.0009.0.R.20131015
DH_IPC-HX5(4)XXX-adreia_Eng_N_stream3_V2.400.0000.0.R.20131231
DH_IPC-HX5(4)XXX-adreia_Eng_P_stream3_V2.400.0000.0.R.20131231
DH_IPC-HX5(4)XXX-adreia_Eng_N_stream3_V2.420.0000.0.R.20140419
DH_IPC-HX5(4)XXX-adreia_Eng_P_stream3_V2.420.0000.0.R.20140419
DH_IPC-HX5(4)XXX-adreia_Eng_N_stream3_V2.420.0002.0.R.20140621
DH_IPC-HX5(4)XXX-adreia_Eng_P_stream3_V2.420.0002.0.R.20140621
DH_IPC-HX5(4)XXX-adreia_Eng_N_stream3_V2.420.0002.0.R.20140724
DH_IPC-HX5(4)XXX-adreia_Eng_P_stream3_V2.420.0002.0.R.20140724
DH_IPC-HX5(4)XXX-adreia_Eng_N_stream3_V2.420.0005.0.R.20141205
DH_IPC-HX5(4)XXX-adreia_Eng_P_stream3_V2.420.0005.0.R.20141205
DH_IPC-HX5(4)XXX-adreia_Eng_N_stream3_V2.420.0006.0.R.20150311
DH_IPC-HX5(4)XXX-adreia_Eng_P_stream3_V2.420.0006.0.R.20150311
DH_IPC-HX5(4)XXX-adreia_Eng_N_stream3_V2.420.0007.0.R.20150409
DH_IPC-HX5(4)XXX-adreia_Eng_P_stream3_V2.420.0007.0.R.20150409
DH_IPC-HX5(4)XXX-adreia_Eng_N_stream3_V2.420.0008.0.R.20150710
DH_IPC-HX5(4)XXX-adreia_Eng_P_stream3_V2.420.0008.0.R.20150710




DH_IPC-HX5(4)XXX-adreia_Eng_N_stream3_V2.420.0009.0.R.20151106


DH_IPC-HX5(4)XXX-adreia_Eng_P_stream3_V2.420.0009.0.R. 20151106

NVR11HS

DH_NVR1100HS_Chn_P_V3.210.0000.5.R.20160803
DH_NVR11xxHS_Chn_V3.210.0000.5.R.20161226
DH_NVR11xxHS_Chn_V3.210.0000.5.R.20170305
DH_NVR11xxHS_Chn_V3.210.0000.5.R.20170321

DH_NVR11xxHS_Chn_V3.213.0000.0.R.20170516.zip


Further screening of products shipped with firmware released before 2016 July identified the following affected products.


Affected Model

Firmware Version

Fix Software

IPC-HFW4X00

IPC-HDW4X00

IPC-HDBW4X00

DH_IPC-HX4(2)X2X-Themis_Eng_P_Stream3_V2.400.0000.3.R.20150312

DH_IPC-HX4(2)X2X-Themis_Eng_N_Stream3_V2.400.0000.3.R.20150312


DH_IPC-HX5(4)XXX-Adreia_Eng_P_Stream3_V2.420.0006.0.R.20150311

DH_IPC-HX5(4)XXX-Adreia_Eng_N_Stream3_V2.420.0006.0.R.20150311


DH_IPC-HX4(2)X2X-Themis_Chn_P_Stream3_V2.400.0000.3.R.20150312

DH_IPC-HX5(4)XXX-Adreia_Chn_P_Stream3_V2.420.0006.0.R.20150311

DH_IPC-HX5(4)XXX-Adreia_Chn_P_Stream3_IVS_V2.420.0006.0.R.20150311

DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.620.0000002.0.R.170830

DH_IPC-HX4X2X-Themis_EngSpn_N_Stream3_V2.620.0000002.0.R.170830


DH_IPC-HX5(4)XXX-Adreia_Eng_P_Stream3_V2.420.0009.0.R.20151106

DH_IPC-HX5(4)XXX-Adreia_Eng_N_Stream3_V2.420.0009.0.R.20151106


DH_IPC-HX4X2X-Themis_Chn_PN_Stream3_V2.620.0000002.0.R.170830

DH_IPC-HX5(4)XXX-Adreia_Chn_PN_Stream3_V2.420.0009.0.R.20151106

DH_IPC-HX5(4)XXX-Adreia_Chn_P_Stream3_IVS_V2.420.0009.0.R.20151106

IPC-HF5X00

IPC-HFW5X00

IPC-HDW5X00

IPC-HDBW5X00

DH_IPC-HX5X2X-Themis_Eng_P_Stream3_V2.400.0000.3.R.20150312

DH_IPC-HX5X2X-Themis_Eng_N_Stream3_V2.400.0000.3.R.20150312


DH_IPC-HX5(4)XXX-Adreia_Eng_P_Stream3_V2.420.0006.0.R.20150311

DH_IPC-HX5(4)XXX-Adreia_Eng_N_Stream3_V2.420.0006.0.R.20150311


DH_IPC-HX5X2X-Themis_Chn_P_Stream3_V2.400.0000.3.R.20150312

DH_IPC-HX5(4)XXX-Adreia_Chn_P_Stream3_V2.420.0006.0.R.20150311

DH_IPC-HX5(4)XXX-Adreia_Chn_P_Stream3_IVS_V2.420.0006.0.R.20150311

DH_IPC-HX5X2X-Themis_Eng_P_Stream3_V2.620.0000002.0.R.170830

DH_IPC-HX5X2X-Themis_EngSpn_N_Stream3_V2.620.0000002.0.R.170830


DH_IPC-HX5(4)XXX-Adreia_Eng_P_Stream3_V2.420.0009.0.R.20151106

DH_IPC-HX5(4)XXX-Adreia_Eng_N_Stream3_V2.420.0009.0.R.20151106


DH_IPC-HX5X2X-Themis_Chn_PN_Stream3_V2.620.0000002.0.R.170830

DH_IPC-HX5(4)XXX-Adreia_Chn_PN_Stream3_V2.420.0009.0.R.20151106

DH_IPC-HX5(4)XXX-Adreia_Chn_P_Stream3_IVS_V2.420.0009.0.R.20151106

NVR11HS

General_NVR11xxHS_Chn_P_V3.210.0000.0.R.20150206

DH_NVR11xxHS_Eng_NP_V3.210.0000.1.R.20150420

DH_NVR11xxHS_Eng_NP_V3.210.0000.2.R.20150715

DH_NVR11xxHS_Chn_P_V3.210.0000.3.R.20150921

DH_NVR11xxHS_Chn_P_V3.210.0000.5.R.20160409

DH_NVR11xxHS_Chn_P_V3.210.0000.5.R.20160603

DH_NVR11xxHS_Chn_V3.213.0000.0.R.20170516

DH_NVR11xxHS_Chn_V3.215.0000000.0.R.171013

DH_NVR11xxHS_Eng_V3.215.0000000.0.R.171013


Dahua will provide update information if additional affected products are identified.


Fixed software download:


Fixed software can be downloaded from Dahua website. They can also be obtainedfrom Dahua technical support.


Support Resources


Dahua technical team will be available to advise and support the upgrade process. For any questions or concerns related to cybersecurity, please contact Dahua at psirt@dahuatech.com


Note on update


2017-11-23 UPDATE Update affected product and fix software

2017-11-18 INITIAL