Bashis finds New May 2020 Dahua Vulnerability p2p cloud credentials

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250

@bashis
finds New May 2020 Dahua Vulnerability p2p cloud credentials


1. Dahua DES/3DES (broken) authentication implementation and PSK
2. Vulnerability: Dahua NetSDK leaking credentials (first 8 chars) from all clients in REALM request when using DVRIP and DHP2P protocol
3. PoC: Added simple TCP/37777 DVRIP listener to display decrypted credentials in clear text
4. Vulnerability: Dahua DHP2P Cloud protocol credentials leakage
5. Vulnerability: Hardcoded DHP2P Cloud keys/passwords for 23 different providers
6. PoC: Access to devices within DHP2P Cloud. PoC only made for Dahua IMOU

From Dahua
 
Last edited:

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
It is important to look at the timeline. For those who think the latest firmware will protect them, look at the response time.
10/02/2020: Initated contact with Dahua PSIRT
13/02/2020: Pinged Dahua PSIRT after no reply
13/02/2020: Dahua PSIRT ACK
15/02/2020: Pinged Dahua PSIRT
15/02/2020: Dahua PSIRT replied they currently analyzing
16/02/2020: Clarified to Dahua PSIRT that 23 different cloud suppliers are affected
17/02/2020: Dahua PSIRT asked where and how I found cloud keys
18/02/2020: Provided additional details
26/02/2020: Received update from Dahua PSIRT for both vulnerabilites, where DES/3DES had apperantly been reported earlier by Tenable as 'login replay'
26/02/2020: Clarified again that DES/3DES issue exist both with DVRIP client traffic (such as ConfigTool, SmartPSS... etc.) and Cloud client traffic (such as IMOU, IMOU Life clients... etc.), as the DVRIP protocol is present in both
26-28/02/2020: Researched about Dahua PSIRT information about Tenable earlier report and found: Amcrest IP Camera Multiple Vulnerabilities
28/02/2020: Clarified again with Dahua PSIRT about credential leakage from clients by default during REALM request, and not only during 'login'
28/02/2020: Dahua PSIRT acknowledged and stated to assign CVE with credit to both Tenable and myself
28/02/2020: Reached out to Tenable to share information with the researcher of 'login replay' about the upcoming CVE
16/04/2020: Pinged Dahua PSIRT
17/04/2020: Dahua PSIRT responded with CVEs and told they will realease security advisory on May 10, 2020
- CVE-2019-9682: DES / 3DES vulnerability
- CVE-2020-9501: 23 cloud keys disclosure
06/05/2020: Dahua PSIRT sent their security advisory, with updated date for release May 12, 2020.
09/05/2020: Full Disclosure
 
Last edited:

msnow

Getting the hang of it
Joined
Aug 31, 2015
Messages
153
Reaction score
29
@fenderman
@alastairstevenson
I’m finding it difficult to see from the links if my USA NVR N52B3P is vulnerable.
System ver 4.000.0000001.5 Build date 2019-12-06.
Can either of you help?


Sent from my iPad using Tapatalk
 

john-ipvm

Known around here
Joined
Oct 15, 2015
Messages
420
Reaction score
675

msnow

Getting the hang of it
Joined
Aug 31, 2015
Messages
153
Reaction score
29
It’s really a relevant you should always assume it’s vulnerable and use a VPN.
Understood but that’s not always possible (depending on circumstances). It must have some relevance or you wouldn’t have spent so much time researching and posting it which I very much appreciate. I’d like to mitigate with the update if it applies to me. Can you help?


Sent from my iPhone using Tapatalk
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Understood but that’s not always possible (depending on circumstances). It must have some relevance or you wouldn’t have spent so much time researching and posting it which I very much appreciate. I’d like to mitigate with the update if it applies to me. Can you help?


Sent from my iPhone using Tapatalk
It is not only always possible it is always required. I posted it to warn people like you particularly the part about the latest firmware being useless because these exploits are out there for many months before they are plugged. So you can bury your head in the sand and believe that your device is safe or do the right thing and protect yourself.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I’m finding it difficult to see from the links if my USA NVR N52B3P is vulnerable.
System ver 4.000.0000001.5 Build date 2019-12-06.
I'm guessing a bit - like you, I don't see that model number in the vulnerable devices list.
But if you look in the WiKi

you will see that the firmware for that model number is listed with the following filename :
DH_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319.bin
 

msnow

Getting the hang of it
Joined
Aug 31, 2015
Messages
153
Reaction score
29
It is not only always possible it is always required. I posted it to warn people like you particularly the part about the latest firmware being useless because these exploits are out there for many months before they are plugged. So you can bury your head in the sand and believe that your device is safe or do the right thing and protect yourself.
I think you are misunderstanding and perhaps being a little overly aggressive towards me. I am NOT saying my system is safe nor am I sticking my head in the sand.


Sent from my iPad using Tapatalk
 

ljw2k

Known around here
Joined
Jun 9, 2014
Messages
1,486
Reaction score
2,260
Location
United Kingdom
Just checked and looks like it does not effect my camera's but thanks for the heads up mate. Just in the process of buying a router which allows me to install a VPN as my current ISP ( Virgin ) does not allow this on their own routers.

Again thanks for the update.

2020-05-13 16_07_34-Microsoft Edge.jpg
 

msnow

Getting the hang of it
Joined
Aug 31, 2015
Messages
153
Reaction score
29
I'm guessing a bit - like you, I don't see that model number in the vulnerable devices list.
But if you look in the WiKi

you will see that the firmware for that model number is listed with the following filename :
DH_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319.bin
Thank you very much!


Sent from my iPad using Tapatalk
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
I think you are misunderstanding and perhaps being a little overly aggressive towards me. I am NOT saying my system is safe nor am I sticking my head in the sand.


Sent from my iPad using Tapatalk
I’m not here to tell you everything is OK I’m here to tell you what you’re doing is unsafe. It’s just a matter of time before your device gets hacked it may already be hacked regardless if this particular exploit affects your device there are many others that you don’t even know about yet.
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
You are missing the most important when it comes to 3DES credential leaks:
Dahua NetSDK leaking credentials (first 8 chars) from all clients in REALM request when using DVRIP and DHP2P protocol

Both clients and devices are compiled with NetSDK, figure.
 

msnow

Getting the hang of it
Joined
Aug 31, 2015
Messages
153
Reaction score
29
I'm guessing a bit - like you, I don't see that model number in the vulnerable devices list.
But if you look in the WiKi

you will see that the firmware for that model number is listed with the following filename :
DH_NVR5XXX-4KS2_MultiLang_V4.001.0000000.1.R.200319.bin
Thanks again. You were right on the new firmware version. I reached out to their security team and they pointed out the verbiage in the link “Versions which Build time before December,2019” which meant mine wasn’t impacted by this vulnerability but I applied it anyway as they recommended and noticed other changes in the firmware including the UI.

Good work from @fenderman in finding this. It’s rated 8.3 (I think) which is “high” but not “critical” (which is 9-10) possibly due to things like whether it’s actively being exploited in the wild or not or the complexity of the hack or several other factors.

For me, and perhaps others, some carrier supported routers don’t support network based VPN so having a layered security approach with firewalls, ACL’s, passwords and multi-factored authentication and, importantly, updated firmware has to suffice.


Sent from my iPad using Tapatalk
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
Thanks again. You were right on the new firmware version. I reached out to their security team and they pointed out the verbiage in the link “Versions which Build time before December,2019” which meant mine wasn’t impacted by this vulnerability but I applied it anyway as they recommended and noticed other changes in the firmware including the UI.

Good work from @fenderman in finding this. It’s rated 8.3 (I think) which is “high” but not “critical” (which is 9-10) possibly due to things like whether it’s actively being exploited in the wild or not or the complexity of the hack or several other factors.

For me, and perhaps others, some carrier supported routers don’t support network based VPN so having a layered security approach with firewalls, ACL’s, passwords and multi-factored authentication and, importantly, updated firmware has to suffice.
Not really true,

You should find a setting called "Security mode" and "Compatibility mode", where the first turn off the 3DES login, and the second turn on 3DES login.
The "Before 2019", thats after tenable showed the "Login Replay Attack": Amcrest IP Camera Multiple Vulnerabilities

If you have not turned off "easy4ip/cloud/whatever", and anyone have the S/N of your device, they can still reach your device via the Cloud.
(Even if they don't have your full S/N, they may reach your device by scanning off some S/N ranges)

Nevertheless, good that you upgraded your device, now it's your client(s) next. (And implement VPN w/o Cloud enabled)
If your router do not support VPN, time to throw that old junk out and get new one, IMHO.
 
Joined
Aug 8, 2018
Messages
7,386
Reaction score
25,889
Location
Spring, Texas
So I am a little confused about how the 'X' is used in the names. So would the below include the IPC-HFW5241E-Z12E? It looks like the mask has an extra 'X' just after the 'H':

1589409992132.png

If cameras are physically isolated from the internet (on a separate sub-net and switch) would this issue be of concern?
 

msnow

Getting the hang of it
Joined
Aug 31, 2015
Messages
153
Reaction score
29
Not really true,

You should find a setting called "Security mode" and "Compatibility mode", where the first turn off the 3DES login, and the second turn on 3DES login.
The "Before 2019", thats after tenable showed the "Login Replay Attack": Amcrest IP Camera Multiple Vulnerabilities

If you have not turned off "easy4ip/cloud/whatever", and anyone have the S/N of your device, they can still reach your device via the Cloud.
(Even if they don't have your full S/N, they may reach your device by scanning off some S/N ranges)

Nevertheless, good that you upgraded your device, now it's your client(s) next. (And implement VPN w/o Cloud enabled)
If your router do not support VPN, time to throw that old junk out and get new one, IMHO.
All that easy4ip cloud stuff is off and cameras are up to current. I’m stuck with my local Spectrum routers for now but I appreciate your opinion.


Sent from my iPhone using Tapatalk
 
Top