CVE-2017-6342 in DHI-HCVR7216A-S3info

Summary

by MITRE

Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06-06, Camera Firmware 2.400.0000.28.R 2016-03-29, and SmartPSS Software 1.16.1 2017-01-19 send the MD5 or SHA-256 Admin Hash during a SmartPSS Auto Login, which might allow remote attackers to obtain sensitive information by sniffing the network and then conducting a rainbow-table attack, a different vulnerability than CVE-2013-6117.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/02/2020

The vulnerability identified as CVE-2017-6342 affects Dahua DHI-HCVR7216A-S3 network video recorder devices running specific firmware versions from 2016 and 2017. This security flaw represents a critical weakness in the authentication mechanism of these surveillance systems, where the device transmits administrative credentials in a manner that exposes them to network sniffing attacks. The vulnerability specifically manifests during the SmartPSS Auto Login process, which is a feature designed to streamline the connection process between the SmartPSS software and the NVR device, but inadvertently creates a security exposure that violates fundamental principles of secure credential handling.

The technical implementation of this vulnerability stems from the improper handling of authentication hashes within the communication protocol between the SmartPSS software and the NVR device. When the auto-login feature is initiated, the system sends either MD5 or SHA-256 hashed administrative passwords across the network without adequate encryption or additional security measures. This behavior directly violates the principle of least privilege and secure credential transmission as outlined in security best practices. The transmitted hashes are not salted or sufficiently randomized, making them vulnerable to rainbow table attacks that can reverse the hashing process to obtain the original administrative passwords. This weakness operates at the application layer of the network stack and represents a clear violation of the secure communication standards that should be implemented for industrial security devices.

The operational impact of this vulnerability extends beyond simple credential theft, as it provides attackers with unauthorized administrative access to critical surveillance infrastructure. Once an attacker successfully obtains the administrative credentials through network sniffing, they gain complete control over the NVR system, including the ability to modify recording settings, delete video footage, access live streams, and potentially compromise the entire surveillance network. This access can be leveraged to conduct further attacks within the network or to cover malicious activities by modifying or deleting evidence. The vulnerability is particularly concerning because it affects devices deployed in environments where physical security is paramount, such as corporate facilities, government buildings, and critical infrastructure sites, where the compromise of surveillance systems can have severe operational and security implications.

Organizations should implement immediate mitigations including network segmentation to isolate surveillance systems from general network traffic, deploying network monitoring tools to detect and alert on suspicious authentication traffic, and upgrading to firmware versions that address this vulnerability. The implementation of additional authentication layers such as two-factor authentication or certificate-based authentication should be considered as part of a comprehensive security strategy. This vulnerability aligns with CWE-312 (Sensitive Data Exposure) and represents a specific case of credential exposure during authentication processes, which is categorized under the ATT&CK technique T1075 (Pass the Hash) and T1046 (Network Service Scanning) as attackers can leverage the exposed credentials to move laterally within networks. The security community should also consider this vulnerability in the context of the broader threat landscape, as it demonstrates the persistent challenge of secure credential handling in embedded systems and industrial control environments where legacy security implementations often fail to meet modern security requirements.

Reservation

02/26/2017

Disclosure

02/27/2017

Moderation

accepted

Entry

VDB-97311

CPE

ready

EPSS

0.12757

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!