Security Notification – SQL injection vulnerability and file download privilege escalation vulnerability were found in Dahua Smart PSS Management System

Date:2017-11-01 Browse:922
Notification ID: DHCC-SA-201711-001

First Published: November 1, 2017

Summary:

SQL injection vulnerability was found in Smart PSS Management System DH-NMS8100, it could be exploited to obtain some data information.
File download privilege escalation vulnerability was found in Smart PSS Management System DH-NMS8100, it could be exploited to obtain some system information.

Vulnerability Score (CVSS V3.0 https://www.first.org/cvss/specification-document):

SQL injection vulnerability
Base Score: 7.7(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Temporal Score: 6.7(E:P/RL:O/RC:C)

File download privilege escalation vulnerability
Base Score: 5.0(AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Temporal Score: 4.5(E:P/RL:O/RC:C)

Affected Products:

DH-NMS8100 product with software version General_NMS_Chn_IS_V3.06.001.R and earlier

Fixed software release:

Fixed software can be downloaded from Dahua website.
http://www.dahuatech.com/index.php/service/kitlists/1303.html
Customer shall contact Dahua local technical support for assistance in the upgrade process.

Support Resources


Dahua technical team will be available to advise and support the upgrade process. For any questions or concerns related to cybersecurity, please contact Dahua at cybersecurity@dahuatech.com