The US cybersecurity agency CISA this week issued a warning over the exploitation of two critical-severity authentication bypass vulnerabilities impacting multiple Dahua products.
The issues, tracked as CVE-2021-33044 and CVE-2021-33045 (CVSS score of 9.8), were discovered in Dahua firmware iterations running on the company’s IP cameras, indoor monitors, intercom stations, and digital video recorder (DVR) products.
CVE-2021-33044 is triggered “when the NetKeyboard type argument is specified by the client during authentication”, CISA explains in a new entry in the Known Exploited Vulnerabilities (KEV) catalog.
On Dahua devices prior to June 2021 that do not support NetKeyboard functionality, an attacker can specify the NetKeyboard type argument at login to completely bypass authentication.
CVE-2021-33045 can be triggered when “the loopback device is specified by the client during authentication”, CISA notes.
The issue impacts Dahua firmware releases prior to mid-2020 and can be triggered by specifying a custom IP address, login type, and client type in login requests, so that it appears to come from loopback, bypassing authentication.
The first bug affects IP cameras, indoor monitors, and intercom stations, while the second also impacts DVR products.
The vulnerabilities were disclosed in late 2021, when Dahua released patches for them. In total, the company appears to have released roughly 70 firmware updates to resolve the flaws across its product portfolio.
Advertisement. Scroll to continue reading.
On Wednesday, CISA added the two security defects to KEV along with CVE-2022-0185, a Linux kernel vulnerability known to have been exploited by Chinese hackers, and CVE-2021-31196, a Microsoft Exchange Server information disclosure issue part of the ProxyOracle attack.
Resolved in July 2021, the Exchange bug is described as a remote code execution issue. Combined with a reflected cross-site scripting (XSS) flaw in Exchange Server (CVE-2021-31195), it can be exploited to recover passwords in plaintext.
Proof-of-concept (PoC) code targeting the Dahua and Exchange Server defects has been available since 2021, but SecurityWeek has not seen reports of malicious exploitation prior to CISA’s warning.
Per Binding Operational Directive (BOD) 22-01, with the four bugs added to KEV, federal agencies have until September 11 to identify vulnerable products within their environments and apply the available mitigations.
BOD 22-01 only applies to federal agencies, but CISA encourages all organizations to review the KEV list and address the included vulnerabilities as soon as possible.