DHCC-SA-202201-001:Security Advisory - Access control vulnerability found in some Dahua products

2022-01-12

SA ID: DHCC-SA-202201-001

First Published: 2022-01-12


Summary:

Some Dahua products have access control vulnerability in the password reset process. Attackers can exploit this vulnerability through specific deployments to reset device passwords.

Common Vulnerabilities and Exposures (CVE ID):

CVE-2021-33046


Vulnerability Score

The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).

Base Score: 8.1(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal Score: 7.3(E:P/RL:O/RC:C)

Affected Products & Fix Software:

The following product series and models are currently known to be affected:

Affected Model

Affected Version

Fix Software

IPC- HX1XXX,

HX2XXX,

HX3XXX,

HX5(4)(3)XXX,

HX5XXX,

HUM7XXX,

HFW7XXX,

HX8XXX,

Versions which Build time between 2017/7 ~ 2021/7

DH_IPC-HX1XXX-Molec_MultiLang_PN_V2.820.0000000.33.R.210705.zip

DH_IPC-HX1XXX-Molec_MultiLang_NP_V2.820.0000000.33.R.210705.zip

DH_IPC-HX2XXX-Molec_MultiLang_PN_V2.820.0000000.33.R.210705.zip

DH_IPC-HX2XXX-Molec_MultiLang_NP_V2.820.0000000.33.R.210705.zip

DH_IPC-HX3XXX-Leo_MultiLang_PN_Stream3_V2.800.0000000.29.R.210630.zip

DH_IPC-HX3XXX-Leo_MultiLang_NP_Stream3_V2.800.0000000.29.R.210630.zip

DH_IPC-HX3XXX-Dalton_MultiLang_NP_Stream3_V2.820.0000000.18.R.210705.zip

DH_IPC-HX3XXX-Dalton_MultiLang_PN_Stream3_V2.820.0000000.18.R.210705.zip

DH_IPC-HX5(4)(3)XXX-Leo_MultiLang_PN_Stream3_V2.800.0000000.29.R.210630.zip

DH_IPC-HX5(4)(3)XXX-Leo_MultiLang_NP_Stream3_V2.800.0000000.29.R.210630.zip

DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.820.0000000.5.R.210705.zip

DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.820.0000000.5.R.210705.zip

DH_IPC-HUM7XXX-E2-Volt_MultiLang_NP_V2.820.0000000.5.R.210705.zip

DH_IPC-HUM7XXX-E2-Volt_MultiLang_PN_V2.820.0000000.5.R.210705.zip

DH_IPC-HFW7XXX-E3-Fafnir_MultiLang_PN_Stream4_V2.800.0000000.4.R.210708.zip

DH_IPC-HFW7XXX-E3-Fafnir_MultiLang_NP_Stream4_V2.800.0000000.4.R.210708.zip

DH_IPC-HX8XXX-Nobel_MultiLang_PN_V3.000.0000000.2.R.210712.zip

DH_IPC-HX8XXX-Nobel_MultiLang_NP_V3.000.0000000.2.R.210712.zip

DH_IPC-HX8XXX-Nobel_MultiLang_NP_Stream3_V2.800.0000000.14.R.210720.zip

DH_IPC-HX8XXX-Nobel_MultiLang_PN_Stream3_V2.800.0000000.14.R.210720.zip

DH_IPC-HX8XXX-Nobel_MultiLang_PN_V2.800.0000000.14.R.210712.zip

DH_IPC-HX8XXX-Nobel_MultiLang_NP_V2.800.0000000.14.R.210712.zip

PTZ:

SD1A1,

SD22,

SD49,

SD50,

SD52C,

SD6AL

DH_SD-Eos-Civil_MultiLang_NP_Stream3_V2.813.0000003.0.R.210817.zip

DH_SD-Eos-Civil_MultiLang_PN_Stream3_V2.813.0000003.0.R.210817.zip

DH_SD-Eos_MultiLang_PN_Stream3_V2.812.0000007.0.R.210706.zip

DH_SD-Eos_MultiLang_NP_Stream3_V2.812.0000007.0.R.210706.zip

Thermal:

TPC-BF1241,

TPC-BF2221,

TPC-SD2221,

TPC-BF5X01,

TPC-SD8X21,

TPC-PT8X21X,

DH_TPC-BF1241-TB_MultiLang_NP_V2.630.0000000.6.R.210707.zip

DH_TPC-BF1241-TB_MultiLang_PN_V2.630.0000000.6.R.210707.zip

DH_TPC-BF2221-TB_MultiLang_PN_V2.630.0000000.10.R.210707.zip

DH_TPC-BF2221-TB_MultiLang_NP_V2.630.0000000.10.R.210707.zip

DH_TPC-SD2221-TB_MultiLang_PN_V2.630.0000000.7.R.210707.zip

DH_TPC-SD2221-TB_MultiLang_NP_V2.630.0000000.7.R.210707.zip

DH_TPC-BF5X01-TB_MultiLang_PN_V2.630.0000000.12.R.210707.zip

DH_TPC-BF5X01-TB_MultiLang_NP_V2.630.0000000.12.R.210707.zip

DH_TPC-SD8X21-TB_MultiLang_PN_V2.630.0000000.9.R.210706.zip

DH_TPC-SD8X21-TB_MultiLang_NP_V2.630.0000000.9.R.210706.zip

DH_TPC-PT8X21A-TB_MultiLang_PN_V2.630.0000000.14.R.210630.zip

DH_TPC-PT8X21A-TB_MultiLang_NP_V2.630.0000000.14.R.210630.zip

DH_TPC-PT8X21B-B_MultiLang_PN_V2.630.0000000.10.R.210701.zip

DH_TPC-PT8X21B-B_MultiLang_NP_V2.630.0000000.10.R.210701.zip

VTOX20XF,

ASC2204C,

DH_VTOX20XF_MultiLang_PN_SIP_V4.500.0000001.0.R.210713.zip

DH_ASC2204C_Eng_V1.001.0000001.0.R.20210728.zip

NVR1XXX,

NVR2XXX,

NVR4XXX,

NVR5XXX,

NVR6XX,

Versions which Build time between 2017/1 ~ 2021/7

DH_NVR1XXX-S3H_MultiLang_V4.001.0000005.1.R.210709.zip

DH_NVR1XHC-S3_MultiLang_V4.001.0000000.1.R.210710.zip

DH_NVR2XXX-I_Mul_V4.001.0000000.1.R.210710.zip

DH_NVR2XXX-4KS2_MultiLang_V4.001.0000005.0.R.210709.zip

DH_NVR2XXX-I2_Mul_V4.002.0000000.0.R.210709.zip

DH_NVR2XXX-W-4KS2_MultiLang_V4.001.0000003.1.R.210709.zip

DH_NVR4XXX-I_MultiLang_V4.001.0000000.3.R.210710.zip

DH_NVR4XXX-4KS2_MultiLang_V4.001.0000005.1.R.210713.zip

DH_NVR4x-4KS2L_MultiLang_V4.001.0000001.0.R.210709.zip

DH_NVR5XXX-I_MultiLang_V4.001.0000000.3.R.210710.zip

DH_NVR5XXX-IL_MultiLang_V4.001.0000000.0.R.210710.zip

DH_NVR5XXX-4KS2_MultiLang_V4.001.0000006.1.R.210709.zip

DH_NVR6XX-4KS2_MultiLang_V4.001.0000001.1.R.210716.BIN

XVR4XXX,

XVR5XXX,

XVR7XXX,

DH_XVR4x08-I3_MultiLang_V4.001.0000000.15.R.210702.zip

DH_XVR4x04-X1(2.0)_MultiLang_V4.001.0000000.14.R.210709.zip

DH_XVR4x04-I_MultiLang_V4.001.0000001.1.R.210709.zip

DH_XVR4x08-I_MultiLang_V4.001.0000001.1.R.210709.zip

DH_XVR4x04-I_MultiLang_V4.001.0000001.2.R.210710.zip

DH_XVR4x08-I_MultiLang_V4.001.0000001.2.R.210710.zip

DH_XVR4x08-I_MultiLang_V4.001.0000001.3.R.210710.zip

DH_XVR4x04-I_MultiLang_V4.001.0000001.3.R.210710.zip

DH_XVR5x16-I2_MultiLang_V4.001.0000003.1.R.210710.zip

DH_XVR5x04-I2_MultiLang_V4.001.0000003.1.R.210710.zip

DH_XVR5x08-I2_MultiLang_V4.001.0000003.1.R.210710.zip

DH_XVR5x04-I3_MultiLang_V4.001.0000000.15.R.210702.zip

DH_XVR5x08-I3_MultiLang_V4.001.0000000.15.R.210702.zip

DH_XVR5x04-X1(2.0)_MultiLang_V4.001.0000000.14.R.210709.zip

DH_XVR5x08-X_MultiLang_V4.001.0000000.9.R.210710.zip

DH_XVR5x16-X_MultiLang_V4.001.0000000.9.R.210710.zip

DH_XVR5x04-S2(2.0)_EngSpnFrn_NP_V3.218.0000002.7.R.210707.zip

DH_XVR5x04-S2(2.0)_Eng_P_V3.218.0000002.7.R.210707.zip

DH_XVR5x04-S2(2.0)_EngSpnFrn_NP_V3.218.0000002.7.R.210707.zip

DH_XVR5x04-S2(2.0)_Eng_P_V3.218.0000002.7.R.210707.zip

DH_XVR7x32-I2_MultiLang_V4.001.0000003.1.R.210710.zip

DH_XVR7x16-I2_MultiLang_V4.001.0000003.1.R.210710.zip

DH_XVR7x32-I2_MultiLang_V4.001.0000003.1.R.210710.zip

DH_XVR7x16-X_MultiLang_V4.001.0000000.9.R.210710.zip

HCVR7XXX

HCVR8XXX

DH_HCVR7x16-S3_Eng_P_V3.218.0000002.5.R.210713.zip

DH_HCVR8xxx_Eng_P_V3.218.0000000.3.R.210903.zip

DH_HCVR8xxx_EngSpnFrn_NP_V3.218.0000000.3.R.210903.zip

Note: Please login to the Web interface of the device to view Build time, which you can find on the Settings-System Information-Version Information page (setting-systeminfo-version).


Fix Software Download

Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.

· Cloud Upgrade: Dahua products have the capability of cloud upgrade. Relevant repair versions can be obtained through cloud upgrade.

· Dahua Official website: Overseas: https://www.dahuasecurity.com/support/downloadCenter.

· Dahua Technical Support Personnel

Support Resources

For any questions or concerns related to our products and solutions, please contact Dahua PSIRT at psirt@dahuatech.com.

We acknowledge the support of Shielder Team and Romain KOSZYK from DIGITEMIS CYBERSECURITY & PRIVAC who discovered this vulnerability and reported to DHCC.

Update Record:

2022-02-10 UPDATE v1.2 Update the affected products & fix software

2022-01-19 UPDATE v1.1 Update the affected products & fix software

2022-01-12 INITIAL