|2017-05-04||Other||Dahua Technology||Researcher Bashis disclosed these vulnerabilities without coordination with ICS-CERT.
||N/A||CVE-2017-7927 CVE-2017-7925 ||N/A||N/A||N/A|
# Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
Digital Video Recorders and IP Cameras
Researcher Bashis disclosed these vulnerabilities without coordination with ICS-CERT.
### AFFECTED PRODUCTS
The following Dahua Technology Co., Ltd (Dahua) network cameras are affected:
The following Dahua Digital Video Recorders (DVRs) are affected:
Successful exploitation of these vulnerabilities could allow the attacker to obtain user credentials, including password hashes, and use these credentials to bypass authentication.
### VULNERABILITY OVERVIEW
USE OF PASSWORD HASH INSTEAD OF PASSWORD FOR AUTHENTICATION CWE-836
The use of password hash instead of password for authentication vulnerability was identified, which could allow a malicious user to bypass authentication without obtaining the actual password.
CVE-2017-7927 has been assigned to this vulnerability.
A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
PASSWORD IN CONFIGURATION FILE CWE-260
The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information.
CVE-2017-7925 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Critical Infrastructure Sector(s): Commercial Facilities, Critical Manufacturing, Financial, Government Facilities, and Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: China
Dahua has released updated firmware to mitigate these vulnerabilities.
Updated software can be obtained from Dahua technical support or an authorized Dahua distributor.
In addition, Dahua released the following security notifications for users:
Cyber Vulnerability Affecting Certain Dahua IP Cameras and Recorders (March 6)
Cybersecurity Statement – March 6, 2017
Cybersecurity Vulnerability Update – March 8, 2017
Cyber Vulnerability Affecting Certain Dahua IP Cameras and Recorders (April 3)
Dahua’s original notification specifies 11 affected models, but after initial testing, Dahua has identified additional series and models in the following security notification:
Security Notification DHCC-201703-01