Security Advisory – Authentication vulnerability found in some Dahua NVR

Date:2017-11-08 Browse:277

Security Advisory – Authentication vulnerability found in some Dahua NVR


SA ID: DHCC-SA-201711-002


First Published: November 8, 2017


Summary:


Authentication vulnerability found in some Dahua NVR. Attacker could exploit this vulnerability to gain access to additional operations by means of forging json message.


CVE ID: CVE-2017-9314


Vulnerability Score (CVSS V3.0 http://www.first.org/cvss/specification-document):


Base Score:               6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Temporal Score:       5.9 (E:F/RL:O/RC:C)


Affected Product & Fix Software:


Affected Model

Version

Fix Software

NVR50XX

NVR52XX

NVR54XX

NVR58XX

Versions Build between 2013 and 2017/10

DH_NVR5xxx_Eng_P_V2.616.0000.0.R.20171102


Fixed software download:


Please download the corresponding fix software (or its newer version) as listed in the above table from Dahua website . Customers can also contact Dahua local technical support to obtain the fix software


Support Resources


Dahua technical team will be available to advise and support the upgrade process. For any questions or concerns related to cybersecurity, please contact Dahua at cybersecurity@dahuatech.com

We acknowledge the support of researcher Ilias el Matani who discovered this vulnerability and reported to DHCC