CISA KEV Alert: Dahua IP Camera Authentication Bypass Vulnerability (CVE-2021-33045)

[UNC1739]

CVE ID: CVE-2021-33045 Vendor/Project: Dahua Product: IP Camera Firmware Vulnerability Name: Dahua IP Camera Authentication Bypass Vulnerability Date Added: 2024-08-21 Short Description: Dahua IP cameras and related products contain an authentication bypass vulnerability when the loopback device is specified by the client during authentication. Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Due Date: 2024-09-11 Known Ransomware Use: Unknown Notes: https://www.dahuasecurity.com/aboutUs/trustedCenter/details/582

[UNC1739]

I'm not seeing any nuclei templates in the upstream nuclei-templates repository which cover this particular CVE. It looks like there are public exploits available for this issue:

https://github.com/bp2008/DahuaLoginBypass

[UNC1739]

There is a nuclei template for a related vulnerability CVE-2021-33044. I think both of these issues were fixed within the same patch-set:

https://github.com/projectdiscovery/nuclei-templates/blob/4ebfd99890f70b1bcce0a58a44eb1c71de09f47e/http/cves/2021/CVE-2021-33044.yaml

[UNC1739]

There is a technical writeup on this issue available here:

https://packetstormsecurity.com/files/download/164423/dahua-bypass.txt

[UNC1739]

I'm not terribly worried about this one since from the writeup it looks like CVE-2021-33045 is a slight variant on CVE-2021-33044 and they were likely both fixed in the same patch. Although the writeup for CVE-2021-33044 says that it impacts " "Those devices who do not support "NetKeyboard" functionality (older than June 2021)" so there might be some edge cases where the device is impacted by CVE-2021-33045, but not CVE-2021-33044.