SEVERITY: HIGH

Redinent Researchers discovered unauthorised device timestamp modification vulnerability in Dahua products.

Vulnerability Category
Unauthorised Time Change

Vulnerability Summary
Unauthorised Time Change can be triggered in Dahua flagship product Dahua Camera through a specially crafted HTTP request. It occurs because the API handling the timestamp change is not authenticated and an attacker with sufficient know-how about the supported parameters of the API can exploit this vulnerability.

Affected Model (can be more)
DH-XVR5104H-4KL-I2,DH-XVR7416L-4KL-X

Affected Software Versions
V4.001.0000001.2 ,V4.001.0000000.3

A detailed list can be found here

Impact

This vulnerability can be exploited directly from the internet. There are thousands of such cameras of the same OEM that are online and directly connected over the internet. It also possible that if such a device exists in the local network it can be exploited by the attacker on the local LAN. Successful exploitation leads to timestamp change of Dahua camera. This means an attacker can make modification to the timestamp of the video feed leading inconsistent date and time showing up on recorded video without the need of knowing the username and password of the camera. It has a direct impact on the digital forensics.

Dahua is the product of one of the largest IoT and Surveillance Technology OEM. and their products are extensively used globally.

CVE ID: CVE-2022-30564

Dahua Advisory: https://www.dahuasecurity.com/support/cybersecurity/details/1147

Dahua Advisory ID: DHCC-SA-202302-001

Timeline for coordinated disclosure (2022)

10th July , 2022 – Vulnerability Discovery by Redinent
14th Sep, 2022 – Completion of Internal Verification by Redinent
16th Sep, 2022 – Disclosure to CERT India
14th Oct, 2022 – OEM Confirmation
8th Feb, 2023 – OEM Advisory