August 22, 2024 at 08:45AM
CISA warned about 2 critical authentication bypass vulnerabilities in Dahua products, affecting IP cameras, monitors, intercoms, and DVRs. Tracked as CVE-2021-33044 and CVE-2021-33045, they have a CVSS score of 9.8. Exploiting these could allow unauthorized access. CISA urges entities to address these concerns promptly following BOD 22-01 guidelines.
From the meeting notes, it is clear that the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical-severity authentication bypass vulnerabilities affecting multiple Dahua products. The vulnerabilities are tracked as CVE-2021-33044 and CVE-2021-33045 with a CVSS score of 9.8. These vulnerabilities were discovered in Dahua firmware iterations running on IP cameras, indoor monitors, intercom stations, and digital video recorder (DVR) products.
CVE-2021-33044 is triggered when the NetKeyboard type argument is specified during authentication, allowing an attacker to completely bypass authentication on devices that do not support NetKeyboard functionality. CVE-2021-33045 can be triggered by specifying the loopback device during authentication, bypassing authentication on firmware releases prior to mid-2020.
Dahua has released approximately 70 firmware updates to resolve these vulnerabilities across its product portfolio. The vulnerabilities were added to the Known Exploited Vulnerabilities (KEV) list by CISA, along with other vulnerabilities such as CVE-2022-0185 and CVE-2021-31196, which impact Linux kernel and Microsoft Exchange Server, respectively.
Federal agencies have been given a deadline until September 11 to identify vulnerable products within their environments and apply available mitigations as per Binding Operational Directive (BOD) 22-01. While BOD 22-01 specifically applies to federal agencies, CISA recommends that all organizations review the KEV list and address the included vulnerabilities promptly. Additionally, it was noted that proof-of-concept (PoC) code targeting the Dahua and Exchange Server vulnerabilities has been available since 2021, but there have been no reports of malicious exploitation prior to CISA’s warning.