Dahuasecurity.com utilise des cookies et des technologies similaires. Dahua utilise des cookies fonctionnels pour s'assurer que ses sites fonctionnent correctement et des cookies analytiques pour optimiser votre expérience utilisateur. Les cookies tiers peuvent également collecter des données en dehors de nos sites Web. En cliquant sur " J'accepte"ou en continuant à utiliser ce site, vous consentez à la mise en place de cookies et au traitement des données personnelles concernées. Plus d'informations sur notre Déclaration relative aux cookies.

Security Advisory –Session ID predictable vulnerability found in some Dahua products

133

SA ID:DHCC-SA-202005-003


First Published:2020-5-11


Summary:


1.CVE-2020-9502:Session ID can be predicted vulnerability


Some Dahua products have Session ID predictable vulnerabilities. During normal user access, an attacker can use the predicted Session ID to construct a data packet to attack the device.


Vulnerability Score(CVSS V3.1 http://www.first.org/cvss/specification-document):


CVE-2020-9502


Base Score:8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Score:7.9 E:P/RL:O/RC:C


Affected Products & Fix Software:


The following product series and models are currently known to be affected:

Affected Model

Affected Version

Fix Software

IPC-HX2XXX Series

Versions which Build time before December,2019

DH_IPC-HX25(8)XX-Molec_MultiLang_PN_V2.800.0000000.15.R.200313

General_IPC-HX25(8)XX-Molec_MultiLang_PN_V2.800.0000000.15.R.200313

DH_IPC-HX25(8)XX-Molec_MultiLang_NP_V2.800.0000000.15.R.200313

General_IPC-HX25(8)XX-Molec_MultiLang_NP_V2.800.0000000.15.R.200313

IPC-HXXX5X4X Series


Versions which Build time before December,2019

DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.800.0000000.12.R.200319

DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.800.0000000.12.R.200319

DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.800.0000000.12.R.200319

DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.800.0000000.12.R.200319

IPC-HX5842H

Versions which Build time before December,2019

DH_IPC-HX8XXX-Nobel_MultiLang_PN_Stream3_V2.800.0000000.5.R.200324

DH_IPC-HX8XXX-Nobel_MultiLang_NP_Stream3_V2.800.0000000.5.R.200324

General_IPC-HX8XXX-Nobel_MultiLang_PN_Stream3_V2.800.0000000.5.R.200324

General_IPC-HX8XXX-Nobel_MultiLang_NP_Stream3_V2.800.0000000.5.R.200324

IPC-HX7842H

Versions which Build time before December,2019

DH_IPC-HX8XXX-Nobel_MultiLang_NP_V2.800.0000000.5.R.200324

DH_IPC-HX8XXX-Nobel_MultiLang_PN_V2.800.0000000.5.R.200324

General_IPC-HX8XXX-Nobel_MultiLang_NP_V2.800.0000000.5.R.200324

General_IPC-HX8XXX-Nobel_MultiLang_PN_V2.800.0000000.5.R.200324

NVR 5x Series

Versions which Build time before December,2019

DH_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319
General_NVR5XXX-4KS2_Chn_V4.001.0000000.1.R.200319
General_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319
General_NVR5XXX-4KS2_Eng_V4.001.0000000.1.R.200319
DH_NVR5XXX-4KS2_Chn_V4.001.0000000.1.R.200319

NVR 4x Series

Versions which Build time before December,2019

General_NVR4XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319
DH_NVR4XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319
General_NVR4XXX-4KS2_Chn_V4.001.0000000.1.R.200319
General_NVR4XXX-4KS2_Eng_V4.001.0000000.1.R.200319
DH_NVR4XXX-4KS2_Chn_V4.001.0000000.1.R.200319

SD6AL Series

Versions which Build time before December,2019

DH_SD-Prometheus_MultiLang_PN_Stream3_V2.800.0000009.3.R.200331

DH_SD-Prometheus_Chn_PN_Stream3_V2.800.0000009.3.R.200331

General_SD-Prometheus_MultiLang_NP_Stream3_V2.800.0000009.3.R.200331

General_SD-Prometheus_Chn_PN_Stream3_V2.800.0000009.3.R.200331

DH_SD-Prometheus_MultiLang_NP_Stream3_V2.800.0000009.3.R.200331

General_SD-Prometheus_MultiLang_PN_Stream3_V2.800.0000009.3.R.200331

SD5A Series

SD1A Series

PTZ1A Series

SD50/52C Series

IPC-HFW1431S

Versions which Build time before December,2019

DH_IPC-HX2X3X-Rhea_MultiLang_NP_Stream2_V2.800.0000015.0.R.200430
DH_IPC-HX2X3X-Rhea_MultiLang_PN_Stream2_V2.800.0000015.0.R.200430
General_IPC-HX2X3X-Rhea_Eng_NP_Stream2_V2.800.0000015.0.R.200430
General_IPC-HX2X3X-Rhea_Eng_PN_Stream2_V2.800.0000015.0.R.200430

Note: Please login to the Web interface of the device to view Build time, which you can find on the Settings-System Information-Version Information page (setting-systeminfo-version).


Fix Software Download:


Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.


Cloud Upgrade: Dahua products have the capability of cloud upgrade. Relevant repair versions can be obtained through cloud upgrade.

Dahua Official Website: Mainland:https://www.dahuasecurity.com/support/downloadCenter

Dahua Technical Support Personnel


Support Resources:


For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.

We acknowledge the support of Thomas Vogt from the University of Applied Sciences Offenburg who discovered this vulnerability and reported to DHCC.