Two authentication bypass vulnerabilities have been identified in Dahua cameras running outdated software. An exploit confirming their practical exploitation was released today, making a firmware update extremely necessary.
The vulnerabilities have been assigned the identifiers CVE-2021-33044 and CVE-2021-33045. Both can be exploited remotely by sending specially crafted data packets during the login process. Details and sample code have been published on GitHub along with a proof of concept.
Just a month ago, Dahua issued a security warning and recommended that owners of vulnerable devices update their software. However, in practice, many cameras are neglected after installation, so it is highly likely that most of them are still running on old and insecure versions.
The list of vulnerable models is extensive and covers many Dahua plug-in cameras, including thermal imaging cameras. According to Shodan, there are about 1.2 million Dahua devices available on the network worldwide. Although not all of them are vulnerable to attack, there are some very popular models among the vulnerable ones.
Dahua Technology is banned from doing business and selling products in the US: in October 2019, it was added to the Commerce Department’s blacklist. Nevertheless, tens of thousands of Dahua cameras continue to be used in the country, and it is not always obvious that the equipment belongs to the Chinese manufacturer. As an investigation by The Intercept revealed, many devices under American (e.g., Honeywell) or Canadian brands are actually built on Dahua hardware and software.
To reduce risks, users are advised to:
- install the latest firmware version available for a specific model;
- replace the default password with a unique and complex one;
- when using Wi-Fi, enable WPA2 encryption and, if possible, create a separate network for IoT devices;
- if the device supports cloud management, download the update directly through the camera interface without going to the Dahua download center.