CVE-2019-3948
published 2019-07-29CVE-2019-3948: The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and…
PriorityP269high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
26.70%
97.8th percentile
The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and DH-IPC-HX863X V2.622.0000000.7.R, Dahua DH-SD4XXXXX V2.623.0000000.7.R, Dahua DH-SD5XXXXX V2.623.0000000.1.R, Dahua DH-SD6XXXXX V2.640.0000000.2.R and V2.623.0000000.1.R, Dahua NVR5XX-4KS2 V3.216.0000006.0.R, Dahua NVR4XXX-4KS2 V3.216.0000006.0.R, and NVR2XXX-4KS2 do not require authentication to access the HTTP endpoint /videotalk. An unauthenticated, remote person can connect to this endpoint and potentionally listen to the audio of the capturing device.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amcrest | ip2m-841b_firmware | — | — |
| dahua | dh-ipc-hx863x | < 2018-05-18 | 2018-05-18 |
| dahua | dh-ipc-hx883x | < 2018-05-18 | 2018-05-18 |
| dahua | dh-sd4xxxxx | < 2018-05-18 | 2018-05-18 |
| dahua | dh-sd5xxxxx | < 2018-05-18 | 2018-05-18 |
| dahua | dh-sd6xxxxx | < 2018-05-18 | 2018-05-18 |
| dahua | ipc-hx4x3x | < 2018-05-18 | 2018-05-18 |
| dahua | ipc-hx5x3x | < 2018-05-18 | 2018-05-18 |
| dahua | ipc-xxbxx | < 2018-05-18 | 2018-05-18 |
| dahua | nvr2xxx-4ks2 | < 2018-05-18 | 2018-05-18 |
| dahua | nvr4xxx-4ks2 | < 2018-05-18 | 2018-05-18 |
| dahua | nvr5xxx-4ks2 | < 2018-05-18 | 2018-05-18 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xa0\x00\x00\x60\x00\x00\x00\x00\xc4\xa3\xaf\x48\x99\x56\xb6\xb4\x7e\x48\xc4\x86\x90\x98\x54\xf3\x05\x02\x00\x01\x00\x00\xa1\xaa
bytes↗
dhavp\x01\x00\x00
- →Monitor for unauthenticated HTTP GET requests to the /videotalk endpoint on Amcrest/Dahua IP cameras; any request to this path requires no credentials and immediately streams live audio. ↗
- →Detect DHAV audio stream framing in TCP payloads: look for the 4-byte magic 'DHAV' in the stream header and the 8-byte trailer 'dhavp\x01\x00\x00' to identify active exploitation of the unauthenticated audio endpoint. ↗
- →Alert on TCP connections to port 37777 on Dahua/Amcrest devices that send the known admin:01testit credential hash bytes (login replay attack, CVE-2017-7927 variant); the fixed 32-byte login packet starts with \xa0\x00\x00\x60. ↗
- →Use the Shodan dork html:"@WebVersion@" to identify internet-exposed Amcrest/Dahua camera web interfaces that may be vulnerable. ↗
- →HTTP responses from the /videotalk endpoint will return '200 OK' with a continuous DHAV-framed audio stream; a payload length of 368 bytes per frame is characteristic of this stream. ↗
- ·The login replay attack against TCP/37777 only succeeds when the user's password is exactly 8 characters long; longer passwords are not affected by this specific hash-replay variant. ↗
- ·The ffplay decoding command assumes the camera is using default audio encoding (A-law, 8kHz, mono); non-default encoding settings will require different decode parameters. ↗
- ·The /videotalk unauthenticated audio streaming vulnerability affects multiple Dahua OEM product lines beyond just Amcrest, including Dahua IPC, DH-IPC, DH-SD, and NVR series devices across several firmware versions. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f9fm-89ph-x8pr: The Amcrest IP2M-841B IP camera firmware version V2
ghsa_unreviewed·2022-05-24
CVE-2019-3948 [HIGH] GHSA-f9fm-89ph-x8pr: The Amcrest IP2M-841B IP camera firmware version V2
The Amcrest IP2M-841B IP camera firmware version V2.520.AC00.18.R does not require authentication to access the HTTP endpoint /videotalk. An unauthenticated, remote person can connect to this endpoint and listen to the audio the camera is capturing.
VMware
VMware Horizon Client, VMRC, VMware Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2019-5543, CVE-2020-3947, CVE-2020-3948)
vendor_vmware·2020-03-12·CVSS 7.8
CVE-2019-5543 [HIGH] VMware Horizon Client, VMRC, VMware Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2019-5543, CVE-2020-3947, CVE-2020-3948)
VMSA-2020-0004: VMware Horizon Client, VMRC, VMware Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2019-5543, CVE-2020-3947, CVE-2020-3948)
VMware Workstation and Fusion contain a use-after vulnerability in vmnetdhcp.VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.
CVEs: CVE-2019-5543, CVE-2020-3947, CVE-2020-3948
Affected products: ESXi, Fusion Pro, Horizon Client, VMware Fusion, VMware Horizon, VMware Workstation, VMware vSphere, Workstation Player, Workstation Pro
No detection rules found.
http://packetstormsecurity.com/files/153813/Amcrest-Cameras-2.520.AC00.18.R-Unauthenticated-Audio-Streaming.htmlhttps://us.dahuasecurity.com/wp-content/uploads/2019/08/Cybersecurity_2019-08-02.pdfhttps://www.dahuasecurity.com/support/cybersecurity/details/627?ushttps://www.tenable.com/security/research/tra-2019-36http://packetstormsecurity.com/files/153813/Amcrest-Cameras-2.520.AC00.18.R-Unauthenticated-Audio-Streaming.htmlhttps://us.dahuasecurity.com/wp-content/uploads/2019/08/Cybersecurity_2019-08-02.pdfhttps://www.dahuasecurity.com/support/cybersecurity/details/627?ushttps://www.tenable.com/security/research/tra-2019-36
2019-07-29
Published