Two authentication bypass vulnerabilities exist in unpatched Dahua cameras, and a proof-of-concept exploit released today makes a case for updating imperative.
CVE-2021-33044 and CVE-2021-33045 are the names of these authentication bypass vulnerabilities. They may both be remotely exploited by delivering specially designed data packets to the target machine during the login process.
More specifics are present on the proof of concept (PoC) included in today’s complete disclosure and have been put on GitHub.
This comes just a month after Dahua issued a security advisory urging owners of susceptible devices to update their software. However, given how ignored many gadgets are after their initial setup and installation, it’s likely that most of them are still using an outdated and vulnerable version.
The list of impacted models is long and includes numerous Dahua connected cameras, including some thermal cameras. On Shodan, it was discovered approximately 1.2 million Dahua systems all across the world.
It’s essential to note that not all of these devices are vulnerable to attack, but the list of compromised models includes some popular models.
In the United States, Dahua Technology is prohibited from doing business and selling products. In October 2019, the Chinese surveillance camera provider was placed on the US Department of Commerce’s ‘Entity List.’
However, tens of thousands of Dahua cameras are still in operation around the country, and some of them may not be obvious. According to a recent revelation by The Intercept, many cameras marketed in the United States under American (such as Honeywell) or Canadian brands actually use Dahua hardware and software.
Apart from updating your Dahua camera’s firmware to the most recent version available for your model, you should also change the default password to something unique and substantial.
If the camera is WiFi, use WPA2 encryption and, if feasible, create a separate, isolated network for your IoTs.
If your model is cloud-enabled, instead of visiting the Dahua download center, you can get the repairing upgrade instantly through the control interface.
