Flaw in Dahua IP cameras allows full device supportSecurity Cases

A vulnerability, identified as CVE-2022-30563, affecting the Dahua IP Camera may allow attackers to take control of IP cameras.

The CVE-2022-30563 vulnerability affecting the Dahua IP camera can allow attackers to take control of IP cameras. The issue affects Dahua’s implementation of the Open Network Video Interface Forum (ONVIF).

ONVIF provides and promotes standardized interfaces for effective interoperability of IP-based physical security products.

The vulnerability was discovered by researchers at Nozomi Networks and given a CVSS score of 7.4.

“We are releasing details of a new vulnerability (tracked as CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in certain IP cameras developed by Dahua , a very popular manufacturer of IP-based surveillance solutions, reads the advisory published by Nozomi Networks. “This vulnerability could be exploited by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying credentials in a new request to the camera.”

ONVIF-compliant products allow users to perform various actions on the remote device through a set of standardized application programming interfaces (APIs), including viewing video footage, locking or unlocking a door intelligent and the execution of maintenance operations.

The defect lies in the “WS-UsernameToken» authentication mechanism implemented by Dahua in some of its IP cameras. Due to the lack of checks to prevent response attacks, a malicious actor can sniff an unencrypted ONVIF interaction and indefinitely replay the credentials in new requests to the camera, which would be accepted as valid authenticated requests by the device.

Once the credentials are obtained, an attacker can add an administrator account and use it to gain full access to the device and perform actions such as watching live footage from the camera as shown below below.

An attacker can carry out this attack by capturing an unencrypted ONVIF request authenticated with the WS-UsernameToken scheme.

The following versions of Dahua video products, are affected:

  • Dahua ASI7XXX: Versions prior to v1.000.0000009.0.R.220620
  • Dahua IPC-HDBW2XXX: Versions prior to v2.820.0000000.48.R.220614
  • Dahua IPC-HX2XXX: versions prior to v2.820.0000000.48.R.220614

The seller solved the problem with the Release a patch on June 28, 2022,

“In addition to building security, surveillance cameras are used in many critical infrastructure sectors such as oil and gas, power grids, telecommunications, etc. These cameras are used to monitor many production processes, providing remote visibility for process engineers. Threat actors, especially nation-state threat groups, might be interested in hacking into IP cameras to help gather information about the target company‘s equipment or production processes. concludes Nozomi. “This information could help in the reconnaissance carried out before the launch of a cyberattack. With better knowledge of the target environment, threat actors could design custom attacks that could physically disrupt production processes in critical infrastructure.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, IP cameras)

Comments are closed.