CVE-2017-7927
published 2017-05-06CVE-2017-7927: A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX…
PriorityP180high7.3CVSS 3.0
AVNACLPRNUINSUCLILAL
ITWVulnCheck KEV
Exploited in the wild
EPSS
36.75%
98.3th percentile
A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The use of password hash instead of password for authentication vulnerability was identified, which could allow a malicious user to bypass authentication without obtaining the actual password.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xa0\x00\x00\x60\x00\x00\x00\x00\xc4\xa3\xaf\x48\x99\x56\xb6\xb4\x7e\x48\xc4\x86\x90\x98\x54\xf3\x05\x02\x00\x01\x00\x00\xa1\xaa
- →Monitor for TCP connections to port 37777 on Dahua/Amcrest devices; a 32-byte login packet beginning with \xa0\x00\x00\x60 using pre-computed MD5 hashes instead of a plaintext password is indicative of a pass-the-hash authentication bypass attempt (CVE-2017-7927). ↗
- →After a successful hash-replay login on TCP/37777, watch for a follow-up JSON-RPC request containing the method 'magicBox.getSoftwareVersion' as a post-exploitation reconnaissance indicator. ↗
- →The vulnerability allows authentication bypass using a captured password hash; the attack is feasible even when the user's password is only 8 characters long, so short-password accounts are especially at risk. ↗
- →Unauthenticated HTTP requests to the /videotalk endpoint on Dahua/Amcrest cameras should be alerted on; no authentication is required and the endpoint streams live audio. ↗
- ·The hash-replay bypass on TCP/37777 is specifically exploitable when the target account's password is 8 characters or fewer; longer passwords were not found to be vulnerable in the Amcrest variant. ↗
- ·Dahua released updated firmware to address CVE-2017-7927; however, the Amcrest IP2M-841B (an OEM variant) was still found vulnerable after the original patch, indicating OEM/rebrand devices may not receive timely fixes. ↗
CVSS provenance
nvdv3.07.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras
cisa_ics·2017-05-04
Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras
Last RevisedMay 04, 2017
Alert CodeICSA-17-124-02
## CVSS v3 9.8
ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.
Vendor: Dahua Technology Co., Ltd
Equipment: Digital Video Recorders and IP Cameras
Vulnerabilities: Use of Password Hash Instead of Password for Authentication, Password in Configuration File
## AFFECTED PRODUCTS
The following Dahua Technology Co., Ltd (Dahua) network cameras are affected:
- DH-IPC-HDBW23A0RN-ZS,
- DH-IPC-HDBW13A0SN,
- DH-IPC-HDW1XXX,
GHSA
GHSA-c2vq-prj2-mrqc: A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, D
ghsa_unreviewed·2022-05-13
CVE-2017-7927 [HIGH] CWE-798 GHSA-c2vq-prj2-mrqc: A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, D
A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The use of password hash instead of password for authentication vulnerability was identified, which could allow a malicious user to bypass authentication without obtaining the actual password.
VulnCheck
dahuasecurity dh-ipc-hdbw23a0rn-zs_firmware Use of Password Hash Instead of Password for Authentication
vulncheck·2017·CVSS 7.3
CVE-2017-7927 [HIGH] dahuasecurity dh-ipc-hdbw23a0rn-zs_firmware Use of Password Hash Instead of Password for Authentication
dahuasecurity dh-ipc-hdbw23a0rn-zs_firmware Use of Password Hash Instead of Password for Authentication
A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The use of password hash instead of password for authentication vulnerability was identified, which could allow a malicious user to bypass authentication without obtaining the actual password.
Affected: dahuasecurity dh-ipc-hdbw23a0rn-zs_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of
No detection rules found.
http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.phphttp://www.securityfocus.com/bid/98312https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.phphttp://www.securityfocus.com/bid/98312https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02
2017-05-06
Published
Exploited in the wild