Dahuasecurity.com menggunakan cookie dan teknologi serupa lainnya. Dahua menggunakan cookie fungsional untuk memastikan situs dan layanan kami beroperasi sebagaimana mestinya dan cookie analitis untuk menjadikan pengalaman pengguna Anda optimal. Cookie pihak ketiga juga dapat mengumpulkan data di luar situs web kami. Dengan mengeklik " Setuju atau terus menggunakan situs web ini, Anda memberikan persetujuan atas pengaturan cookie dan pemrosesan data pribadi yang disertakan. Informasi lebih lanjut mengenai pernyataan cookie kami.

Security Advisory - Identity authentication bypass vulnerability found in some Dahua products

15761

SA IDDHCC-SA-202106-001


First Published2021-09-01


Last Published:2021-11-15


Summary


The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.


Common Vulnerabilities and ExposuresCVE ID):


CVE-2021-33044; CVE-2021-33045


Vulnerability Score


The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).


Base Score:8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)


Temporal Score:7.3 (E:P/RL:O/RC:C)


Affected Products & Fix Software


The following product Series and models are currently known to be affected:


1. CVE-2021-33044

Affected Model

Affected Version

Fix Software

IPC-HX1XXX, HX2XXX, HX3XXX,

HX5(4)(3)XXX,

HX5XXX,

HUM7XXX,

HX8XXX


Versions which Build time before June,2021

DH_IPC-HX1XXX-Molec_MultiLang_PN_V2.820.0000000.33.R.210705

DH_IPC-HX1XXX-Molec_MultiLang_NP_V2.820.0000000.33.R.210705

DH_IPC-HX2XXX-Molec_MultiLang_PN_V2.820.0000000.33.R.210705

DH_IPC-HX2XXX-Molec_MultiLang_NP_V2.820.0000000.33.R.210705

DH_IPC-HX3XXX-Leo_MultiLang_PN_Stream3_V2.800.0000000.29.R.210630

DH_IPC-HX3XXX-Leo_MultiLang_NP_Stream3_V2.800.0000000.29.R.210630

DH_IPC-HX3XXX-Dalton_MultiLang_NP_Stream3_V2.820.0000000.18.R.210705

DH_IPC-HX3XXX-Dalton_MultiLang_PN_Stream3_V2.820.0000000.18.R.210705

DH_IPC-HX5(4)(3)XXX-Leo_MultiLang_PN_Stream3_V2.800.0000000.29.R.210630

DH_IPC-HX5(4)(3)XXX-Leo_MultiLang_NP_Stream3_V2.800.0000000.29.R.210630

DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.820.0000000.5.R.210705

DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.820.0000000.5.R.210705

DH_IPC-HUM7XXX-E2-Volt_MultiLang_NP_V2.820.0000000.5.R.210705

DH_IPC-HUM7XXX-E2-Volt_MultiLang_PN_V2.820.0000000.5.R.210705

DH_IPC-HX8XXX-Nobel_MultiLang_PN_V3.000.0000000.2.R.210712

DH_IPC-HX8XXX-Nobel_MultiLang_NP_V3.000.0000000.2.R.210712

DH_IPC-HX8XXX-Nobel_MultiLang_NP_Stream3_V2.800.0000000.14.R.210720

DH_IPC-HX8XXX-Nobel_MultiLang_PN_Stream3_V2.800.0000000.14.R.210720

DH_IPC-HX8XXX-Nobel_MultiLang_PN_V2.800.0000000.14.R.210712

DH_IPC-HX8XXX-Nobel_MultiLang_NP_V2.800.0000000.14.R.210712


VTO75X95X,

VTO65XXX

DH_VTO75X95X_Eng_PN_SIP_V4.300.0000003.0.R.210714

DH_VTO65XXX_Eng_PN_V4.300.0000004.0.R.210715


VTH542XH

DH_VTH542XH_MultiLang_SIP_V4.500.0000002.0.R.210715

PTZ Dome Camera SD1A1,

SD22,

SD49,

SD50,

SD52C,

SD6AL

DH_SD-Eos-Civil_MultiLang_PN_Stream3_V2.812.0000007.0.R.210706

DH_SD-Eos-Civil_MultiLang_NP_Stream3_V2.812.0000007.0.R.210706

DH_SD-Eos_MultiLang_PN_Stream3_V2.812.0000007.0.R.210706

DH_SD-Eos_MultiLang_NP_Stream3_V2.812.0000007.0.R.210706

Thermal

TPC-BF1241,

TPC-BF2221,

TPC-SD2221, TPC-BF5XXX,

TPC-SD8X21,

TPC-PT8X21B

DH_TPC-BF1241-TB_MultiLang_PN_V2.630.0000000.6.R.210707

DH_TPC-BF1241-TB_MultiLang_NP_V2.630.0000000.6.R.210707

DH_TPC-BF2221-TB_MultiLang_PN_V2.630.0000000.10.R.210707

DH_TPC-BF2221-TB_MultiLang_NP_V2.630.0000000.10.R.210707

DH_TPC-SD2221-TB_MultiLang_PN_V2.630.0000000.7.R.210707

DH_TPC-SD2221-TB_MultiLang_NP_V2.630.0000000.7.R.210707

DH_TPC-BF5X01-TB_MultiLang_PN_V2.630.0000000.12.R.210707

DH_TPC-BF5X01-TB_MultiLang_NP_V2.630.0000000.12.R.210707

DH_TPC-BF5X21-TB_MultiLang_PN_V2.630.0000000.8.R.210630

DH_TPC-BF5X21-TB_MultiLang_NP_V2.630.0000000.8.R.210630

DH_TPC-PT8X21A-TB_MultiLang_PN_V2.630.0000000.14.R.210630

DH_TPC-PT8X21A-TB_MultiLang_NP_V2.630.0000000.14.R.210630

DH_TPC-SD8X21-TB_MultiLang_PN_V2.630.0000000.9.R.210706

DH_TPC-SD8X21-TB_MultiLang_NP_V2.630.0000000.9.R.210706

DH_TPC-PT8X21B-B_MultiLang_PN_V2.630.0000000.10.R.210701

DH_TPC-PT8X21B-B_MultiLang_NP_V2.630.0000000.10.R.210701



2. CVE-2021-33045

Affected Model

Affected Version

Fix Software

IPC-HX1XXX, HX2XXX, HX3XXX,

HX5(4)(3)XXX,

HX5XXX,

HUM7XXX,

HX8XXX


Versions which Build time before May,2020

DH_IPC-HX1XXX-Molec_MultiLang_PN_V2.820.0000000.33.R.210705

DH_IPC-HX1XXX-Molec_MultiLang_NP_V2.820.0000000.33.R.210705

DH_IPC-HX2XXX-Molec_MultiLang_PN_V2.820.0000000.33.R.210705

DH_IPC-HX2XXX-Molec_MultiLang_NP_V2.820.0000000.33.R.210705

DH_IPC-HX3XXX-Leo_MultiLang_PN_Stream3_V2.800.0000000.29.R.210630

DH_IPC-HX3XXX-Leo_MultiLang_NP_Stream3_V2.800.0000000.29.R.210630

DH_IPC-HX3XXX-Dalton_MultiLang_NP_Stream3_V2.820.0000000.18.R.210705

DH_IPC-HX3XXX-Dalton_MultiLang_PN_Stream3_V2.820.0000000.18.R.210705

DH_IPC-HX5(4)(3)XXX-Leo_MultiLang_PN_Stream3_V2.800.0000000.29.R.210630

DH_IPC-HX5(4)(3)XXX-Leo_MultiLang_NP_Stream3_V2.800.0000000.29.R.210630

DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.820.0000000.5.R.210705

DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.820.0000000.5.R.210705

DH_IPC-HUM7XXX-E2-Volt_MultiLang_NP_V2.820.0000000.5.R.210705

DH_IPC-HUM7XXX-E2-Volt_MultiLang_PN_V2.820.0000000.5.R.210705

DH_IPC-HX8XXX-Nobel_MultiLang_PN_V3.000.0000000.2.R.210712

DH_IPC-HX8XXX-Nobel_MultiLang_NP_V3.000.0000000.2.R.210712

DH_IPC-HX8XXX-Nobel_MultiLang_NP_Stream3_V2.800.0000000.14.R.210720

DH_IPC-HX8XXX-Nobel_MultiLang_PN_Stream3_V2.800.0000000.14.R.210720

DH_IPC-HX8XXX-Nobel_MultiLang_PN_V2.800.0000000.14.R.210712

DH_IPC-HX8XXX-Nobel_MultiLang_NP_V2.800.0000000.14.R.210712


VTO75X95X,

VTO65XXX

Versions which Build time before December,2019

DH_VTO75X95X_Eng_PN_SIP_V4.300.0000003.0.R.210714

DH_VTO65XXX_Eng_PN_V4.300.0000004.0.R.210715


VTH542XH

DH_VTH542XH_MultiLang_SIP_V4.500.0000002.0.R.210715

NVR1XXX,

NVR2XXX,

NVR5XXX,

NVR6XX

DH_NVR4XXX-I_MultiLang_V4.001.0000000.3.R.210710

DH_NVR4x-4KS2L_MultiLang_V4.001.0000001.0.R.210709

DH_NVR4XXX-4KS2_MultiLang_V4.001.0000005.1.R.210713

DH_NVR5XXX-4KS2_MultiLang_V4.001.0000006.1.R.210709

DH_NVR5XXX-I_MultiLang_V4.001.0000000.3.R.210710

DH_NVR5XXX-IL_MultiLang_V4.001.0000000.0.R.210710

DH_NVR1XHC-S3_MultiLang_V4.001.0000000.1.R.210710

DH_NVR2XXX-4KS2_MultiLang_V4.001.0000005.0.R.210709

DH_NVR2XXX-W-4KS2_MultiLang_V4.001.0000003.1.R.210709

DH_NVR2XXX-I2_Mul_V4.002.0000000.0.R.210709

DH_NVR2XXX-I_Mul_V4.001.0000000.1.R.210710

DH_NVR1XXX-S3H_MultiLang_V4.001.0000005.1.R.210709

DH_NVR6XX-4KS2_MultiLang_V4.001.0000001.1.R.210716


XVR4xxx,

XVR5xxx,

XVR7xxx

DH_XVR5x16-I2_MultiLang_V4.001.0000003.1.R.210710

DH_XVR7x16-I2_MultiLang_V4.001.0000003.1.R.210710

DH_XVR5x08-I2_MultiLang_V4.001.0000003.1.R.210710

DH_XVR5x04-I2_MultiLang_V4.001.0000003.1.R.210710

DH_XVR7x32-I2_MultiLang_V4.001.0000003.1.R.210710

DH_XVR5x08-I3_MultiLang_V4.001.0000000.15.R.210702

DH_XVR5x04-I3_MultiLang_V4.001.0000000.15.R.210702

DH_XVR4x08-I3_MultiLang_V4.001.0000000.15.R.210702

DH_XVR4x04-I_MultiLang_V4.001.0000001.1.R.210709

DH_XVR4x08-I_MultiLang_V4.001.0000001.1.R.210709

DH_XVR5x08-X_MultiLang_V4.001.0000000.9.R.210710

DH_XVR5x16-X_MultiLang_V4.001.0000000.9.R.210710

DH_XVR7x16-X_MultiLang_V4.001.0000000.9.R.210710

DH_XVR5x04-X1(2.0)_MultiLang_V4.001.0000000.14.R.210709

DH_XVR4x04-X1(2.0)_MultiLang_V4.001.0000000.14.R.210709



Note: Please login to the Web interface of the device to view Build time, which you can find on the Settings-System Information-Version Information page (setting-systeminfo-version).


Fix Software Download


Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.


Cloud Upgrade: Dahua products have the capability of cloud upgrade. Relevant repair versions can be obtained through cloud upgrade.

Dahua Official Website: Overseas: https://www.dahuasecurity.com/support/downloadCenter

Dahua Technical Support Personnel


Support Resources


For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.

We acknowledge the support of Bashis who discovered this vulnerability and reported to DHCC.


Update Record


2021-11-15 V1.1 UPDATED Updated the “Affected Products & Fix Software” section and the updated products;

2021-09-01 INITIAL