Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices
Details have been shared about a security vulnerability in Dahua's Open Network Video Interface Forum (ONVIF) standard implementation, which, when exploited, can lead to seizing control of IP cameras.
Tracked as CVE-2022-30563 (CVSS score: 7.4), the "vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera," Nozomi Networks said in a Thursday report.
The issue, which was addressed in a patch released on June 28, 2022, impacts the following products -
- Dahua ASI7XXX: Versions prior to v1.000.0000009.0.R.220620
- Dahua IPC-HDBW2XXX: Versions prior to v2.820.0000000.48.R.220614
- Dahua IPC-HX2XXX: Versions prior to v2.820.0000000.48.R.220614
ONVIF governs the development and use of an open standard for how IP-based physical security products such as video surveillance cameras and access control systems can communicate with one another in a vendor-agnostic manner.
The bug identified by Nozomi Networks resides in what's called the "WS-UsernameToken" authentication mechanism implemented in certain IP cameras developed by Chinese firm Dahua, allowing attackers to compromise the cameras by replaying the credentials.
In other words, successful exploitation of the flaw could permit an adversary to covertly add a malicious administrator account and exploit it to obtain unrestricted access to an affected device with the highest privileges, including watching live camera feeds.
All a threat actor needs to mount this attack is to be able to capture one unencrypted ONVIF request authenticated with the WS-UsernameToken schema, which is then used to send a forged request with the same authentication data to trick the device into creating the admin account.
This information could aid in reconnaissance conducted prior to launching a cyberattack. With more knowledge of the target environment, threat actors could craft custom attacks that can physically disrupt production processes in critical infrastructure.