[Japanese]

JVNDB-2024-000007

Multiple Dahua Technology products vulnerable to authentication bypass

Overview

Multiple products provided by Dahua Technology contain an authentication bypass vulnerability (CWE-287).

Mitsui Bussan Secure Directions, Inc. reported the vulnerability existed in "DHI-ASI7213Y-V3-T1" to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.1 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.6 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products


Dahua Technology Co., Ltd
  • DHI-ASI7213Y-V3-T1 Versions which Build time before June,2021
  • IPC-HUM7XXX Versions which Build time before June,2021
  • IPC-HX1XXX Versions which Build time before June,2021
  • IPC-HX2XXX Versions which Build time before June,2021
  • IPC-HX3XXX Versions which Build time before June,2021
  • IPC-HX5(4)(3)XXX Versions which Build time before June,2021
  • IPC-HX5XXX Versions which Build time before June,2021
  • IPC-HX8XXX Versions which Build time before June,2021
  • PTZ Dome Camera SD1A1 Versions which Build time before June,2021
  • PTZ Dome Camera SD22 Versions which Build time before June,2021
  • PTZ Dome Camera SD49 Versions which Build time before June,2021
  • PTZ Dome Camera SD50 Versions which Build time before June,2021
  • PTZ Dome Camera SD52C Versions which Build time before June,2021
  • PTZ Dome Camera SD6AL Versions which Build time before June,2021
  • Thermal TPC-BF1241 Versions which Build time before June,2021
  • Thermal TPC-BF2221 Versions which Build time before June,2021
  • Thermal TPC-BF5XXX Versions which Build time before June,2021
  • Thermal TPC-PT8X21B Versions which Build time before June,2021
  • Thermal TPC-SD2221 Versions which Build time before June,2021
  • Thermal TPC-SD8X21 Versions which Build time before June,2021
  • VTH542XH Versions which Build time before June,2021
  • VTO65XXX Versions which Build time before June,2021
  • VTO75X95X Versions which Build time before June,2021

Impact

The product's identity verification may be bypassed if a remote attacker sends specially crafted data packets.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Dahua Technology Co., Ltd
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-33044
References

  1. JVN : JVN#83655695
  2. National Vulnerability Database (NVD) : CVE-2021-33044
Revision History

  • [2024/01/18]
      Web page was published
  • [2024/07/11]
      References : Content was added