Dahuasecurity.com verwendet Cookies und ähnliche Technologien. Dahua verwendet funktionale und analytische Cookies, um Funktionen der Seiten sicherzustellen und Ihre Nutzererfahrung optimal zu gestalten. Cookies von Drittanbietern können Daten auch außerhalb unserer Websites sammeln. Wenn Sie klicken Ich stimme zuoder Sie sind für das Setzen von Cookies und die Verarbeitung der betreffenden personenbezogenen Daten einverstanden, wenn Sie diese Seite weiterhin benutzen. Mehr Informationen zu unseren Cookie Statement.

Security Advisory – Privilege escalation vulnerability found in some Dahua IP products

195

SA ID: DHCC-SA-201803-001


First Published: March 16, 2018


Update revision: May 22, 2018


Summary:


Privilege escalation vulnerability found in some Dahua IP devices. Attacker in possession of low privilege account can gain access to credential information of high privilege account and further obtain device information or attack the device.


CVE ID: CVE-2017-9317


Vulnerability Score (CVSS V3.0 http://www.first.org/cvss/specification-document):


Base Score: 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Temporal Score: 6.6 (E:F/RL:O/RC:C)


Affected Products & Fix Software:


Dahua has conducted screening to identify the following affected recorder products.


Affected Model

Firmware Version

Fix Software

XVR 5x04

DH_XVR5x04_Eng_P_V3.218.0000001.2.R.170808

DH_XVR5x04_Eng_P_V3.210.0001.11.R.20170525

DH_XVR5x04_Eng_P_V3.210.0001.8.R.20170307

DH_XVR5x04_Eng_P_V3.210.0001.7.R.20170218

DH_XVR5x04_Eng_P_V3.210.0001.3.R.20160914

DH_XVR5x04_Eng_P_V3.218.0000002.1.R.171229

XVR 5x08

DH_XVR5x08_Eng_P_V3.218.0000001.2.R.170808

DH_XVR5x08_Eng_P_V3.210.0001.11.R.20170525

DH_XVR5x08_Eng_P_V3.210.0001.8.R.20170307

DH_XVR5x08_Eng_P_V3.210.0001.7.R.20170218

DH_XVR5x08_Eng_P_V3.210.0001.3.R.20160914

DH_XVR5x08_Eng_P_V3.218.0000002.1.R.171229

XVR 5x16

DH_XVR5x16_Eng_P_V3.218.0000001.2.R.170808

DH_XVR5x16_Eng_P_V3.210.0001.11.R.20170525

DH_XVR5x16_Eng_P_V3.210.0001.8.R.20170307

DH_XVR5x16_Eng_P_V3.210.0001.7.R.20170218

DH_XVR5x16_Eng_P_V3.210.0001.3.R.20160914

DH_XVR5x16_Eng_P_V3.218.0000002.1.R.171229

XVR 7x16

DH_XVR7x16_Eng_P_V3.218.0000001.2.R.170808

DH_XVR7x16_Eng_P_V3.210.0001.11.R.20170525

DH_XVR7x16_Eng_P_V3.210.0001.8.R.20170307

DH_XVR7x16_Eng_P_V3.210.0001.7.R.20170218

DH_XVR7x16_Eng_P_V3.210.0001.3.R.20160914

DH_XVR7x16_Eng_P_V3.218.0000002.1.R.171229


Dahua has conducted screening to identify the following affected camera products.


Affected Model

Firmware Version

Fix Software

IPC-HDBW4XXX

Build before 2017/09

DH_IPC-HX5X3X-Rhea_EngSpnFrn_N_Stream3_V2.622.0000000.18.R.20171110

DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.622.0000000.18.R.20171110

DH_IPC-HX5X3X-Rhea_Chn_PN_Stream3_V2.622.0000000.18.R.20171110

DH_IPC-HX4XXX-Eos_Chn_PN_Stream3_V2.621.0000.28.R.20170912

IPC-HDBW5XXX

Build before 2017/09

DH_IPC-HX5X3X-Rhea_EngSpnFrn_N_Stream3_V2.622.0000000.18.R.20171110

DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.622.0000000.18.R.20171110

DH_IPC-HX5X3X-Rhea_Chn_PN_Stream3_V2.622.0000000.18.R.20171110

DH_IPC-HX4XXX-Eos_Chn_PN_Stream3_V2.621.0000.28.R.20170912


Dahua will provide update information if additional affected products are identified.


Fix software download:


Please download the corresponding fix software (or its newer version) as listed in the above table from Dahua website. Customers can also contact Dahua local technical support to obtain the fix software


Support Resources


Dahua technical team will be available to advise and support the upgrade process. For any questions or concerns related to cybersecurity, please contact Dahua at cybersecurity@dahuatech.com


We acknowledge the support of Tiger Puma from fosec.vn who discovered this vulnerability and reported to DHCC


Revision History


2018-5-22 UPDATE Affected products and fix software

2018-3-16 INITIAL