Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CCTV cameras. Show all posts

Unpatched Dahua Cameras are Prone to Authentication Bypass Vulnerabilities

 

Two authentication bypass vulnerabilities exist in unpatched Dahua cameras, and a proof-of-concept exploit released on 7th October makes the case for upgrading urgent. Both CVE-2021-33044 and CVE-2021-33045 are authentication bypass weaknesses that can be remotely exploited during the login process by sending specially crafted data packets to the target device. 

This comes a month after Dahua issued a security advisory urging owners of vulnerable models to update their firmware, but given how often these devices are forgotten after initial setup and installation, it's possible that many of them are still running an old and vulnerable version. The list of impacted models is long and includes several Dahua cameras, including some thermal cameras. 

IPVM confirmed in 2019 that numerous Dahua cameras had a wiretapping vulnerability, based on tests and information from Dahua. Even if the camera's audio was turned off, an unauthenticated attacker could still listen in. 

An emergency investigation was conducted by the Dahua Security Team and the R&D Team, with the following preliminary findings: 

 • Unauthorized download vulnerability in video chat - This vulnerability no longer exists after code reworking because the relevant functional modules were refactored. Some EOL products would have posed a threat to security.

 • Replay attack vulnerability: This was a newly discovered vulnerability that had affected several Dahua products. 

Dahua spokesperson Tim Shen said, "Dahua uses the secure login authentication method “Digest” by default, but in order to be compatible with early devices, we also retain support for the login authentication method with insufficient security. This vulnerability just exploits these insecure login authentication methods." 

The flaw was initially reported to Dahua in May of 2019. Tenable Research Engineer Jacob Baines discovered a vulnerability within an Amcrest (Dahua OEM) camera's firmware (PoC here, CVE-2019-3948), allowing unauthenticated access to the audio stream. 

The Chinese surveillance camera provider Dahua Technology has been barred from doing business and selling products in the United States since October 2019, when it was added to the US Department of Commerce's 'Entity List.' However, tens of thousands of Dahua cameras are still in use around the country, and some of them may not be readily apparent. Many cameras marketed in the United States under American or Canadian brands use Dahua hardware and even software, according to a new revelation from The Intercept.

Three Botnets Abuse Zero-Day Vulnerabilities in LILIN's DVRs!


Not of late, LILIN recorders were found to be vulnerable. Reportedly, botnet operators were behind the zero-day vulnerabilities that were exploited in the Digital Video Recorders (DVRs ) that the vendor is well known for.

Sources mention that the exploitation of the zero-day vulnerabilities had been a continuous thing for almost half a year and the vendor was unaware. Nevertheless, they rolled out a patch in February 2020.

Digital Video Recorders are electronic devices that collect video feeds from local CCTV/IP cameras systems and store them on different mass storage devices like SD cards, USB flash drives, disk drives, etc.

DVRs are a huge deal today given they are a major element for the security cameras that are used almost everywhere in these times.

With CCTV cameras raging, attacks especially designed for them have also risen equally. Malware botnets and other hacker operations have been targeting these widely used DVRs for quite some time now.

Per sources, the non-revised and out of date firmware stands to be the reason for these devices being hacked. Especially, the DVRs with default credentials are exploited to kick off DDoS and other IoT attacks.
Sources mention that security researchers found LILIN’s DVRs too were being exploited for almost half a year, since August last year by three botnets.


The vulnerability in the “NTPUpdate”, sources mention, allows attackers to inject and control the system’s commands. Via one of the ‘hardcoded credentials’ (root/icatch99 & report/8Jg0SR8K50) the attacker stands a chance to retrieve and alter a DVR’s config file, and later control commands on the device after the File Transfer Protocol (FTP) server configuration is regularly matched.

Per sources, the first botnet behind the zero-day vulnerability was the “Chalubo botnet” with a motive of exploiting the NTPUdate of the LILIN DVRs. The other two were employed by the “FBot botnet”

Reportedly, a couple of weeks after the previous attacks of the FBot, the Moobot botnet also tried its luck and succeeded on the second zero-day vulnerability.

There is no knowing as to what the exact motive was behind hacking the LILIN DVRs. Nevertheless, there has been a history of DDoS attacks, re-routing traffic, and proxy networks.

As it happens there are, per sources, over 5,000 LILIN DVRs that exist today thus making it quite a hefty task to update all of them immediately. But it’s a relief to know that the first step has been taken. There’s not much to worry about now given LILIN has released a firmware update along with solutions for mitigation.