Bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials

[fenderman]

PoC/Dahua-3DES-IMOU-PoC.py at master · mcw0/PoC

Issues has been disabled for these PoC's, as they are simply PoC, Public Domain and unsupported. - mcw0/PoC

github.com

@bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials

1. Dahua DES/3DES (broken) authentication implementation and PSK 2. Vulnerability: Dahua NetSDK leaking credentials (first 8 chars) from all clients in REALM request when using DVRIP and DHP2P protocol

3. PoC: Added simple TCP/37777 DVRIP listener to display decrypted credentials in clear text

4. Vulnerability: Dahua DHP2P Cloud protocol credentials leakage

5. Vulnerability: Hardcoded DHP2P Cloud keys/passwords for 23 different providers

6. PoC: Access to devices within DHP2P Cloud. PoC only made for Dahua IMOU

From Dahua

Security Advisory –Login authentication compatibility vulnerabilities found in some Dahua products

Security Advisory –Login authentication compatibility vulnerabilities found in some Dahua products

www.dahuasecurity.com

Security Advisory –Information leakage vulnerability found in Dahua Web P2P control

Security Advisory –Information leakage vulnerability found in Dahua Web P2P control

www.dahuasecurity.com

Security Advisory –Session ID predictable vulnerability found in some Dahua products

Security Advisory –Session ID predictable vulnerability found in some Dahua products

www.dahuasecurity.com

 

[fenderman]

It is important to look at the timeline. For those who think the latest firmware will protect them, look at the response time.

10/02/2020: Initated contact with Dahua PSIRT
	13/02/2020: Pinged Dahua PSIRT after no reply
	13/02/2020: Dahua PSIRT ACK
	15/02/2020: Pinged Dahua PSIRT
	15/02/2020: Dahua PSIRT replied they currently analyzing
	16/02/2020: Clarified to Dahua PSIRT that 23 different cloud suppliers are affected
	17/02/2020: Dahua PSIRT asked where and how I found cloud keys
	18/02/2020: Provided additional details
	26/02/2020: Received update from Dahua PSIRT for both vulnerabilites, where DES/3DES had apperantly been reported earlier by Tenable as 'login replay'
	26/02/2020: Clarified again that DES/3DES issue exist both with DVRIP client traffic (such as ConfigTool, SmartPSS... etc.) and Cloud client traffic (such as IMOU, IMOU Life clients... etc.), as the DVRIP protocol is present in both
	26-28/02/2020: Researched about Dahua PSIRT information about Tenable earlier report and found: Amcrest IP Camera Multiple Vulnerabilities
	28/02/2020: Clarified again with Dahua PSIRT about credential leakage from clients by default during REALM request, and not only during 'login'
	28/02/2020: Dahua PSIRT acknowledged and stated to assign CVE with credit to both Tenable and myself
	28/02/2020: Reached out to Tenable to share information with the researcher of 'login replay' about the upcoming CVE
	16/04/2020: Pinged Dahua PSIRT
	17/04/2020: Dahua PSIRT responded with CVEs and told they will realease security advisory on May 10, 2020
	- CVE-2019-9682: DES / 3DES vulnerability
	- CVE-2020-9501: 23 cloud keys disclosure
	06/05/2020: Dahua PSIRT sent their security advisory, with updated date for release May 12, 2020.
	09/05/2020: Full Disclosure

 

[alastairstevenson]

It's a helluva broad list of highly vulnerable products across a broad attack surface.
Should be amazing but somehow isn't.

 

[msnow]

@fenderman
@alastairstevenson
I’m finding it difficult to see from the links if my USA NVR N52B3P is vulnerable.
System ver 4.000.0000001.5 Build date 2019-12-06.
Can either of you help?


Sent from my iPad using Tapatalk

 

[john-ipvm]

Dahua had another vulnerability disclosed this week, unrelated to bashis cloud discoveries, see Security Advisory –Session ID predictable vulnerability found in some Dahua products

CVE-2020-9502：Session ID can be predicted vulnerability

Some Dahua products have Session ID predictable vulnerabilities. During normal user access, an attacker can use the predicted Session ID to construct a data packet to attack the device.

 

[fenderman]

@fenderman
@alastairstevenson
I’m finding it difficult to see from the links if my USA NVR N52B3P is vulnerable.
System ver 4.000.0000001.5 Build date 2019-12-06.
Can either of you help?


Sent from my iPad using Tapatalk

It’s really a relevant you should always assume it’s vulnerable and use a VPN.

 

[msnow]

It’s really a relevant you should always assume it’s vulnerable and use a VPN.

Understood but that’s not always possible (depending on circumstances). It must have some relevance or you wouldn’t have spent so much time researching and posting it which I very much appreciate. I’d like to mitigate with the update if it applies to me. Can you help?


Sent from my iPhone using Tapatalk

 

[fenderman]

Understood but that’s not always possible (depending on circumstances). It must have some relevance or you wouldn’t have spent so much time researching and posting it which I very much appreciate. I’d like to mitigate with the update if it applies to me. Can you help?


Sent from my iPhone using Tapatalk

It is not only always possible it is always required. I posted it to warn people like you particularly the part about the latest firmware being useless because these exploits are out there for many months before they are plugged. So you can bury your head in the sand and believe that your device is safe or do the right thing and protect yourself.

 

[alastairstevenson]

I’m finding it difficult to see from the links if my USA NVR N52B3P is vulnerable.
System ver 4.000.0000001.5 Build date 2019-12-06.

I'm guessing a bit - like you, I don't see that model number in the vulnerable devices list.
But if you look in the WiKi

DahuaWiki

dahuawiki.com

you will see that the firmware for that model number is listed with the following filename :
DH_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319.bin

 

[msnow]

It is not only always possible it is always required. I posted it to warn people like you particularly the part about the latest firmware being useless because these exploits are out there for many months before they are plugged. So you can bury your head in the sand and believe that your device is safe or do the right thing and protect yourself.

I think you are misunderstanding and perhaps being a little overly aggressive towards me. I am NOT saying my system is safe nor am I sticking my head in the sand.


Sent from my iPad using Tapatalk

 

[ljw2k]

Just checked and looks like it does not effect my camera's but thanks for the heads up mate. Just in the process of buying a router which allows me to install a VPN as my current ISP ( Virgin ) does not allow this on their own routers.

Again thanks for the update.

 

[msnow]

I'm guessing a bit - like you, I don't see that model number in the vulnerable devices list.
But if you look in the WiKi

DahuaWiki

dahuawiki.com

you will see that the firmware for that model number is listed with the following filename :
DH_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319.bin

Thank you very much!


Sent from my iPad using Tapatalk

 

[fenderman]

I think you are misunderstanding and perhaps being a little overly aggressive towards me. I am NOT saying my system is safe nor am I sticking my head in the sand.


Sent from my iPad using Tapatalk

I’m not here to tell you everything is OK I’m here to tell you what you’re doing is unsafe. It’s just a matter of time before your device gets hacked it may already be hacked regardless if this particular exploit affects your device there are many others that you don’t even know about yet.

 

[bashis]

You are missing the most important when it comes to 3DES credential leaks:
Dahua NetSDK leaking credentials (first 8 chars) from all clients in REALM request when using DVRIP and DHP2P protocol

Both clients and devices are compiled with NetSDK, figure.

 

[msnow]

I'm guessing a bit - like you, I don't see that model number in the vulnerable devices list.
But if you look in the WiKi

DahuaWiki

dahuawiki.com

you will see that the firmware for that model number is listed with the following filename :
DH_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319.bin

Thanks again. You were right on the new firmware version. I reached out to their security team and they pointed out the verbiage in the link “Versions which Build time before December,2019” which meant mine wasn’t impacted by this vulnerability but I applied it anyway as they recommended and noticed other changes in the firmware including the UI.

Good work from @fenderman in finding this. It’s rated 8.3 (I think) which is “high” but not “critical” (which is 9-10) possibly due to things like whether it’s actively being exploited in the wild or not or the complexity of the hack or several other factors.

For me, and perhaps others, some carrier supported routers don’t support network based VPN so having a layered security approach with firewalls, ACL’s, passwords and multi-factored authentication and, importantly, updated firmware has to suffice.


Sent from my iPad using Tapatalk

 

[bashis]

Thanks again. You were right on the new firmware version. I reached out to their security team and they pointed out the verbiage in the link “Versions which Build time before December,2019” which meant mine wasn’t impacted by this vulnerability but I applied it anyway as they recommended and noticed other changes in the firmware including the UI.

Good work from @fenderman in finding this. It’s rated 8.3 (I think) which is “high” but not “critical” (which is 9-10) possibly due to things like whether it’s actively being exploited in the wild or not or the complexity of the hack or several other factors.

For me, and perhaps others, some carrier supported routers don’t support network based VPN so having a layered security approach with firewalls, ACL’s, passwords and multi-factored authentication and, importantly, updated firmware has to suffice.

Not really true,

You should find a setting called "Security mode" and "Compatibility mode", where the first turn off the 3DES login, and the second turn on 3DES login.
The "Before 2019", thats after tenable showed the "Login Replay Attack": Amcrest IP Camera Multiple Vulnerabilities

If you have not turned off "easy4ip/cloud/whatever", and anyone have the S/N of your device, they can still reach your device via the Cloud.
(Even if they don't have your full S/N, they may reach your device by scanning off some S/N ranges)

Nevertheless, good that you upgraded your device, now it's your client(s) next. (And implement VPN w/o Cloud enabled)
If your router do not support VPN, time to throw that old junk out and get new one, IMHO.

 

[fenderman]

Good work from @fenderman in finding this.

For the record I didnt find this. I just posted @bashis 's work.

 

[samplenhold]

So I am a little confused about how the 'X' is used in the names. So would the below include the IPC-HFW5241E-Z12E? It looks like the mask has an extra 'X' just after the 'H':



If cameras are physically isolated from the internet (on a separate sub-net and switch) would this issue be of concern?

 

[msnow]

For the record I didnt find this. I just posted @bashis 's work.

Ok, I misunderstood the timeline then. Still, thanks for posting then.


Sent from my iPhone using Tapatalk

 

[msnow]

Not really true,

You should find a setting called "Security mode" and "Compatibility mode", where the first turn off the 3DES login, and the second turn on 3DES login.
The "Before 2019", thats after tenable showed the "Login Replay Attack": Amcrest IP Camera Multiple Vulnerabilities

If you have not turned off "easy4ip/cloud/whatever", and anyone have the S/N of your device, they can still reach your device via the Cloud.
(Even if they don't have your full S/N, they may reach your device by scanning off some S/N ranges)

Nevertheless, good that you upgraded your device, now it's your client(s) next. (And implement VPN w/o Cloud enabled)
If your router do not support VPN, time to throw that old junk out and get new one, IMHO.

All that easy4ip cloud stuff is off and cameras are up to current. I’m stuck with my local Spectrum routers for now but I appreciate your opinion.


Sent from my iPhone using Tapatalk