The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. Vulnerable device types: IPC/VTH/VTO/NVR/DVR. IPC/VTH/VTO devices firmware older than June 2021 is vulnerable to CVE-2021-33044. IPC/VTH/VTO/NVR/DVR devices firmware older than beginning/mid 2020 is vulnerable to CVE-2021-33045. The list of the affected models is extensive and covers many of Dahua cameras. Shodan detects over 1.2 million Dahua systems around the world. It is important to clarify that not all of these devices are vulnerable to exploitation, but the list of the affected models contains some widely deployed ones.

Recommendations

• Upgrade your Dahua camera to the latest available firmware version for your model.
• Change the password it came with out of the box with something unique and strong. Leaving the access credentials to “admin” - “admin” is a sure way to having your video feeds exposed.
• It is a good practice to set up a separate, isolated network for your IoTs if possible.

References

• Unpatched Dahua cams vulnerable to unauthenticated remote access
• Dahua Security Advisory

CVE-2021-33044,CVE-2021-33045