{"vuid":"VU#800094","idnumber":"800094","name":"Dahua Security DVRs contain multiple vulnerabilities","keywords":["Dahua","dvr","cwe-798","cwe-294","cwe-521","cwe-916","upnp","backdoor"],"overview":"Digital video recorders (DVR) produced by Dahua Technology Co., Ltd. contain multiple vulnerabilities that could allow a remote attacker to gain privileged access to the devices.","clean_desc":"Dahua Technologies Co., Ltd. produces DVR appliances that contain multiple vulnerabilities. CWE-798: Use of Hard-coded Credentials - CVE-2013-3612\nAll DVRs of the same series ship with the same default root password on a read-only partition. Therefore, the root password can only be changed by flashing the firmware. Additionally, a separate hard-coded remote backdoor account exists that can be used to control cameras and other system components remotely. It is only accessible if authorization is done through ActiveX or the stand-alone client. Additionally, a hash of the current date can be used as a master password to gain access to the system and reset the administrator's password. CWE-294: Authentication Bypass by Capture-reply - CVE-2013-3613\nThe DVR appliance accepts UPnP requests from external untrusted devices. This can cause the telnet port of a DVR appliance to be automatically forwarded and accessible by external parties. These default conditions could allow an external attacker to detect the device and authenticate using the hard-coded credentials. CWE-521: Weak Password Requirements - CVE-2013-3614\nThe device enforces insufficient password requirements. User passwords are limited to only six characters in length, making them computationally feasible to discover using brute-force methods. CWE-916: Use of Password Hash with Insufficient Computational Effort - CVE-2013-3615\nUser passwords are hashed with a weak 48-bit algorithm, and are therefore susceptible to brute-force attacks within a reasonable amount of time. The CVSS score reflects CVE-2013-3612. Dahua has disputed some of these vulnerabilities. Please see Dahua's vendor information for details.","impact":"An unauthenticated remote attacker could gain privileged access to the device and compromise the confidentiality and integrity of its data. Additionally, the attacker could cause a denial-of-service.","resolution":"We are currently unaware of a practical solution to this problem. Please consider the following workarounds.","workarounds":"Restrict Access If possible, restrict access to the device using IP access lists and block UPnP requests from untrusted external devices.","sysaffected":"","thanks":"Thank\ns to \nAndrey Bezborodov, Kirill Ermakov, Alexander Raspopov, and Dmitry Sklyarov\n of Positive Te\nchnologies for reporting these vulnerabilities.","author":"This document was written by Todd Lewellen.","public":["h","t","t","p",":","/","/","w","w","w",".","d","a","h","u","a","s","e","c","u","r","i","t","y",".","c","o","m","/"],"cveids":["CVE-2013-3612","CVE-2013-3613","CVE-2013-3614","CVE-2013-3615"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-07-05T12:25:07Z","publicdate":"2013-08-13T00:00:00Z","datefirstpublished":"2013-09-13T16:26:16Z","dateupdated":"2013-12-04T14:03:11Z","revision":41,"vrda_d1_directreport":"1","vrda_d1_population":"1","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"UC","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"7.3","cvss_environmentalscore":"1.81587475944","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}