Dahua’s facial recognition access camera is vulnerable, says CISA – Security


The US Cybersecurity and Infrastructure Security Agency warns of a host of security vulnerabilities in a facial recognition access controller from Chinese supplier Dahua.

The company is already listed by the FCC as posing an “unacceptable risk” to US national security.

In its notice, the CISA indicates that Dahua has “not responded to requests for collaboration with [it] to mitigate these vulnerabilities.

The Dahua ASI7213X-T1 facial recognition access controller is subject to five vulnerabilities, the most severe of which has a Common Vulnerability Scoring System rating of 8.1.

CVE-2022-2335 (CVSS score 5.7) is a flaw in the device’s web server, which “incorrectly validates input, which may lead to a denial of service condition on the device.”

In CVE-2022-2337 (CVSS score 7.1), the unit has a feature that allows the owner to download files while the device is sleeping.

This is intended to support things like promotional images or videos, but an attacker could also “upload unverified files that are different from an image or video, such as an executable file.”

CVE-2022-2334 makes the device vulnerable to a “pass the hash” attack, allowing an attacker “to sniff the authentication process and gain access to the device without needing a password.” It was the vulnerability that drew the CVSS score of 8.1.

CVE-2022-2338 (CVSS score 7.5) is an information exposure vulnerability: “When an unknown username is entered, then the web server will return a valid user in an error message. This could allow an attacker to obtain valid username values ​​for the device to use in authentication attacks.

Finally, the device fails to restrict access attempts in CVE-2022-2336 (CVSS score 7.5). This makes it vulnerable to password spraying and credential stuffing.

CISA notes that the vulnerabilities are remotely exploitable with low complexity.

Dahua has several distributors in Australia.


About Author

Comments are closed.