Identity Authentication Bypass in Dahua Products
CVE-2021-33045

9.8CRITICAL

Key Information:

Vendor

Dahuasecurity

Status
Some Dahua Ip Camera, Video Intercom, Nvr, Xvr Devices
Vendor
CVE Published:
15 September 2021

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 94%πŸ¦… CISA Reported

What is CVE-2021-33045?

Dahua products are susceptible to an identity authentication bypass vulnerability, allowing attackers to circumvent the authentication process during login. By crafting malicious data packets, unauthorized users can gain access to the devices, potentially leading to data breaches and further exploitation. It is essential for users and administrators of Dahua products to apply necessary patches and enhance security measures to protect their systems from such vulnerabilities.

CISA has reported CVE-2021-33045

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2021-33045 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Some Dahua IP Camera, Video Intercom, NVR, XVR devices Dahua IP Camera devices IPC-HX3XXX, IPC-HX5XXX, and IPC-HUM7XXX Buildtime before May, 2020, Video Intercom devices VTO75X95X, VTO65XXX, and VTH542XH, NVR devices NVR1XXX, NVR2XXX, NVR5XXX, and NVR6XX, XVR devices XVR4xxx, XVR5xxx, and XVR7xxx Buildtime before December, 2019.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2021-33045
Created by dongpohezui

References

https://www.dahuasecurity.com/support/cybersecurity/detai...
x_refsource_MISC
http://seclists.org/fulldisclosure/2021/Oct/13
mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/164423/Dahua-Authent...
x_refsource_MISC

EPSS Score

94% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ¦…

    CISA Reported

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.