Dahuasecurity.com sử dụng cookie và các công nghệ tương tự. Dahua sử dụng các cookie chức năng để đảm bảo rằng các trang web của mình hoạt động đúng cách và các cookie phân tích để làm cho trải nghiệm người dùng của bạn trở nên tối ưu. Cookie của bên thứ ba cũng có thể thu thập dữ liệu bên ngoài các trang web của chúng tôi. Bằng cách nhấp vào Đồng ý" hoặc bằng cách tiếp tục sử dụng trang web này, bạn đồng ý cho việc thiết lập cookie và xử lý dữ liệu cá nhân liên quan. Thêm thông tin của chúng tôi tuyên bố cookie.

Security Advisory –Session ID predictable vulnerability found in some Dahua products

4067

SA ID:DHCC-SA-202005-003


First Published:2020-5-11


Summary:


1.CVE-2020-9502:Session ID can be predicted vulnerability


Some Dahua products have Session ID predictable vulnerabilities. During normal user access, an attacker can use the predicted Session ID to construct a data packet to attack the device.


Vulnerability Score(CVSS V3.1 http://www.first.org/cvss/specification-document):


CVE-2020-9502


Base Score:8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Score:7.9 E:P/RL:O/RC:C


Affected Products & Fix Software:


The following product series and models are currently known to be affected:

Affected Model

Affected Version

Fix Software

IPC-HX2XXX Series

Versions which Build time before December,2019

DH_IPC-HX25(8)XX-Molec_MultiLang_PN_V2.800.0000000.15.R.200313

General_IPC-HX25(8)XX-Molec_MultiLang_PN_V2.800.0000000.15.R.200313

DH_IPC-HX25(8)XX-Molec_MultiLang_NP_V2.800.0000000.15.R.200313

General_IPC-HX25(8)XX-Molec_MultiLang_NP_V2.800.0000000.15.R.200313

IPC-HXXX5X4X Series


Versions which Build time before December,2019

DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.800.0000000.12.R.200319

DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.800.0000000.12.R.200319

DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.800.0000000.12.R.200319

DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.800.0000000.12.R.200319

IPC-HX5842H

Versions which Build time before December,2019

DH_IPC-HX8XXX-Nobel_MultiLang_PN_Stream3_V2.800.0000000.5.R.200324

DH_IPC-HX8XXX-Nobel_MultiLang_NP_Stream3_V2.800.0000000.5.R.200324

General_IPC-HX8XXX-Nobel_MultiLang_PN_Stream3_V2.800.0000000.5.R.200324

General_IPC-HX8XXX-Nobel_MultiLang_NP_Stream3_V2.800.0000000.5.R.200324

IPC-HX7842H

Versions which Build time before December,2019

DH_IPC-HX8XXX-Nobel_MultiLang_NP_V2.800.0000000.5.R.200324

DH_IPC-HX8XXX-Nobel_MultiLang_PN_V2.800.0000000.5.R.200324

General_IPC-HX8XXX-Nobel_MultiLang_NP_V2.800.0000000.5.R.200324

General_IPC-HX8XXX-Nobel_MultiLang_PN_V2.800.0000000.5.R.200324

NVR 5x Series

Versions which Build time before December,2019

DH_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319
General_NVR5XXX-4KS2_Chn_V4.001.0000000.1.R.200319
General_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319
General_NVR5XXX-4KS2_Eng_V4.001.0000000.1.R.200319
DH_NVR5XXX-4KS2_Chn_V4.001.0000000.1.R.200319

NVR 4x Series

Versions which Build time before December,2019

General_NVR4XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319
DH_NVR4XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319
General_NVR4XXX-4KS2_Chn_V4.001.0000000.1.R.200319
General_NVR4XXX-4KS2_Eng_V4.001.0000000.1.R.200319
DH_NVR4XXX-4KS2_Chn_V4.001.0000000.1.R.200319

SD6AL Series

Versions which Build time before December,2019

DH_SD-Prometheus_MultiLang_PN_Stream3_V2.800.0000009.3.R.200331

DH_SD-Prometheus_Chn_PN_Stream3_V2.800.0000009.3.R.200331

General_SD-Prometheus_MultiLang_NP_Stream3_V2.800.0000009.3.R.200331

General_SD-Prometheus_Chn_PN_Stream3_V2.800.0000009.3.R.200331

DH_SD-Prometheus_MultiLang_NP_Stream3_V2.800.0000009.3.R.200331

General_SD-Prometheus_MultiLang_PN_Stream3_V2.800.0000009.3.R.200331

SD5A Series

SD1A Series

PTZ1A Series

SD50/52C Series

IPC-HFW1431S

Versions which Build time before December,2019

DH_IPC-HX2X3X-Rhea_MultiLang_NP_Stream2_V2.800.0000015.0.R.200430
DH_IPC-HX2X3X-Rhea_MultiLang_PN_Stream2_V2.800.0000015.0.R.200430
General_IPC-HX2X3X-Rhea_Eng_NP_Stream2_V2.800.0000015.0.R.200430
General_IPC-HX2X3X-Rhea_Eng_PN_Stream2_V2.800.0000015.0.R.200430

Note: Please login to the Web interface of the device to view Build time, which you can find on the Settings-System Information-Version Information page (setting-systeminfo-version).


Fix Software Download:


Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.


Cloud Upgrade: Dahua products have the capability of cloud upgrade. Relevant repair versions can be obtained through cloud upgrade.

Dahua Official Website: Mainland:https://www.dahuasecurity.com/support/downloadCenter

Dahua Technical Support Personnel


Support Resources:


For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.

We acknowledge the support of Thomas Vogt from the University of Applied Sciences Offenburg who discovered this vulnerability and reported to DHCC.