Security Notification – Media report on high risk vulnerability found in Dahua IPC-HDW4300S

Date:2017-11-16 Browse:1077

First Published: November 16, 2017


Summary:


We observed media report dated November 15, 2017 about an upgrade function related hard coded credential vulnerability found in Dahua IPC-HDW4300S. The research report by ReFirm Labs was quoted as the source.


This IPC model (IPC-HDW4300S) is an out dated product. The last shipment date was February 2016. The latest firmware (released on November 6, 2015 version V2.420.009.0.R.20151106) did not have the mentioned vulnerability.


Initial analysis found this vulnerability was caused by internal Debug function. This particular function was used for problem analysis and performance tuning during product development phase. It allowed the IPC only to receive specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution. Dahua have screened all actively shipping products against this vulnerability and found all products shipped after June 2017 are not affected. We are continuing with the screening on products already phased out. Update notice will be released as more information is available.


Support Resources

For any questions or concerns related to cybersecurity, please contact Dahua at cybersecurity@dahuatech.com