DHCC-SA-202004-001:Security Advisory –Denial of Service vulnerability exists in some Dahua products
SA ID:DHCC-SA-202004-001
First Published:2020-4-7
Summary:
1.CVE-2020-9499:Buffer Overflow vulnerability
Some Dahua products have buffer overflow vulnerabilities. After the successful login of the legal account, the attacker sends a specific DDNS test command, which may cause the device to go down.
2. CVE-2020-9500:Denial of Service vulnerability
Some products of Dahua have Denial of Service vulnerabilities. After the successful login of the legal account, the attacker sends a specific log query command, which may cause the device to go down.
Vulnerability Score(CVSS V3.0 http://www.first.org/cvss/specification-document):
1.CVE-2020-9499
Base Score:4.9(AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Temporal Score:4.4(E:P/RL:O/RC:C)
2. CVE-2020-9500
Base Score:4.9(AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Temporal Score:4.4(E:P/RL:O/RC:C)
Affected Products & Fix Software:
The following product series and models are currently known to be affected:
|
Affected Model |
Affected Version |
Fix Software |
|
IPC-HX2XXX Series |
Versions which Build time before December,2019 |
DH_IPC-HX25(8)XX-Molec_MultiLang_PN_V2.800.0000000.15.R.200313 General_IPC-HX25(8)XX-Molec_MultiLang_PN_V2.800.0000000.15.R.200313 DH_IPC-HX25(8)XX-Molec_MultiLang_NP_V2.800.0000000.15.R.200313 General_IPC-HX25(8)XX-Molec_MultiLang_NP_V2.800.0000000.15.R.200313 |
|
IPC-HXXX5X4X Series
|
Versions which Build time before December,2019 |
DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.800.0000000.12.R.200319 DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.800.0000000.12.R.200319 DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.800.0000000.12.R.200319 DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.800.0000000.12.R.200319 |
|
IPC-HX5842H |
Versions which Build time before December,2019 |
DH_IPC-HX8XXX-Nobel_MultiLang_PN_Stream3_V2.800.0000000.5.R.200324 DH_IPC-HX8XXX-Nobel_MultiLang_NP_Stream3_V2.800.0000000.5.R.200324 General_IPC-HX8XXX-Nobel_MultiLang_PN_Stream3_V2.800.0000000.5.R.200324 General_IPC-HX8XXX-Nobel_MultiLang_NP_Stream3_V2.800.0000000.5.R.200324 |
|
IPC-HX7842H |
Versions which Build time before December,2019 |
DH_IPC-HX8XXX-Nobel_MultiLang_NP_V2.800.0000000.5.R.200324 DH_IPC-HX8XXX-Nobel_MultiLang_PN_V2.800.0000000.5.R.200324 General_IPC-HX8XXX-Nobel_MultiLang_NP_V2.800.0000000.5.R.200324 General_IPC-HX8XXX-Nobel_MultiLang_PN_V2.800.0000000.5.R.200324 |
|
NVR 5x Series |
Versions which Build time before December,2019 |
DH_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319 |
|
NVR 4x Series |
Versions which Build time before December,2019 |
General_NVR4XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319 |
|
SD6AL Series |
Versions which Build time before December,2019 |
DH_SD-Prometheus_MultiLang_PN_Stream3_V2.800.0000009.3.R.200331 DH_SD-Prometheus_Chn_PN_Stream3_V2.800.0000009.3.R.200331 General_SD-Prometheus_MultiLang_NP_Stream3_V2.800.0000009.3.R.200331 General_SD-Prometheus_Chn_PN_Stream3_V2.800.0000009.3.R.200331 DH_SD-Prometheus_MultiLang_NP_Stream3_V2.800.0000009.3.R.200331 General_SD-Prometheus_MultiLang_PN_Stream3_V2.800.0000009.3.R.200331 |
|
SD5A Series |
||
|
SD1A Series |
||
|
PTZ1A Series |
||
|
SD50/52C Series |
Note: Please login to the Web interface of the device to view Build time, which you can find on the Settings-System Information-Version Information page (setting-systeminfo-version).
Fix Software Download:
Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.
● Cloud Upgrade: Dahua products have the capability of cloud upgrade. Relevant repair versions can be obtained through cloud upgrade.
● Dahua Official Website: Mainland:https://www.dahuasecurity.com/support/downloadCenter
● Dahua Technical Support Personnel
Support Resources:
For any questions or concerns related to our products and solutions, please contact Dahua PSIRT at psirt@dahuatech.com
