Dahuasecurity.com은 쿠키 및 유사 기술을 사용합니다. 다후아는 기능성 쿠키를 사용하여 웹 사이트가 제대로 작동하도록 하고 분석 쿠키를 사용하여 사용자 경험을 최적화합니다. 제3자 쿠키는 당사 웹 사이트 외부에서도 데이터를 수집할 수 있습니다. 다음을 클릭함으로써 동의하시거나 이 웹 사이트를 계속 사용하면 쿠키 설정과 관련된 개인 데이터 처리에 동의하게 됩니다. 다음에 대한 자세한 정보 쿠키 개인정보 처리 방침

Security Advisory – Some products of Dahua have security risks

3528

SA ID: DHCC-SA-201909-001


First Published: September 14, 2019


Latest Update: January 10, 2020


Summary:


1. The specific fields of CGI interface of some Dahua products are not strictly verified, an attacker can cause a buffer overflow by constructing malicious packets.

2. Some Dahua products have the problem of denial of service during the login process. An attacker can cause a device crashed by constructing a malicious packets.

3. Some of Dahua's Debug functions do not have permission separation. Low-privileged users can use the Debug function after logging in.

4. Some Dahua products have information leakage issues. Attackers can obtain the IP address and device model information of the device by constructing malicious data packets.

5. Online upgrade information in some firmware packages of Dahua products is not encrypted. Attackers can obtain this information by analyzing firmware packages by specific means.


CVE ID


1. CVE-2019-9677

2. CVE-2019-9678

3. CVE-2019-9679

4. CVE-2019-9680

5. CVE-2019-9681



Vulnerability Score (CVSS V3.0 http://www.first.org/cvss/specification-document):


1. CVE-2019-9677

Base Score:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal Score:9.4(E:H/RL:O/RC:C)

2. CVE-2019-9678

Base Score:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Temporal Score:7.2(E:H/RL:O/RC:C)

3. CVE-2019-9679

Base Score:8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Temporal Score:8.4(E:H/RL:O/RC:C)

4. CVE-2019-9680

Base Score:5.3(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Temporal Score:5.1(E:H/RL:O/RC:C)

5. CVE-2019-9681

Base Score:5.3(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Temporal Score:5.1(E:H/RL:O/RC:C)



Affected Products & Fix Software


The following product series and models are known to be affected at present:

Affected Model

Affected Version

Fix Software

IPC-HDW1X2X

IPC-HFW1X2X

IPC-HDW2X2X

IPC-HFW2X2X

Versions which Build time before August 18,2019

DH_IPC-HX1X2X-Themis_Eng_P_V2.620.0000004.0.R.191130.zip
DH_IPC-HX1X2X-Themis_EngSpn_N_V2.620.0000004.0.R.191130.zip

IPC-HDW4X2X

IPC-HFW4X2X

IPC-HDBW4X2X

Versions which Build time before August 18,2019

DH_IPC-HX4X2X-Themis_Chn_PN_Stream3_V2.620.0000004.0.R.191130.zip
DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.620.0000004.0.R.191130.zip
DH_IPC-HX4X2X-Themis_EngSpn_N_Stream3_V2.620.0000004.0.R.191130.zip
DH_IPC-HX4X2X-Themis_Chn_PN_Stream3_Wifi_V2.620.0000004.0.R.191130.zip
DH_IPC-HX4X2X-Themis_Eng_P_Stream3_Wifi_V2.620.0000004.0.R.191130.zip
DH_IPC-HX4X2X-Themis_EngSpn_N_Stream3_Wifi_V2.620.0000004.0.R.191130.zip

IPC-HDW5X2X

IPC-HFW5X2X

Versions which Build time before August 18,2019

DH_IPC-HX5X2X-Themis_Chn_PN_Stream3_V2.620.0000004.0.R.191130.zip
DH_IPC-HX5X2X-Themis_Eng_P_Stream3_V2.620.0000004.0.R.191130.zip
DH_IPC-HX5X2X-Themis_EngSpn_N_Stream3_V2.620.0000004.0.R.191130.zip

Dahua will provide update information if additional affected products are identified.


Fix Software Download:


Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.

The access to the fix is as follows:

● Cloud Upgrade

Dahua products have the capability of cloud upgrade. Relevant repair versions can be obtained through cloud upgrade.

● Dahua Official Website

Overseas:https://www.dahuasecurity.com/support/downloadCenter

● Dahua Technical Support Personnel


Support Resources:


Dahua technical team will be available to advise and support the upgrade process. For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.
We acknowledge the support of Daniel Nussko, Thomas Vogt, Philipp Rombach, Dennis Barnekow and Florian Losch from University of Applied Sciences Offenburg who discovered these vulnerabilities and reported to DHCC.


Note on Update:


2020-01-10 UPDATE Update fix software

2019-09-14 INITIAL