CVE-2017-7927 — HIGH (7.3) — White Hats Nepal

Vulnerability Description

A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The use of password hash instead of password for authentication vulnerability was identified, which could allow a malicious user to bypass authentication without obtaining the actual password.

CVSS Score

7.3

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Dahuasecurity	Dh-Ipc-Hdbw23A0Rn-Zs Firmware	-
Dahuasecurity	Dh-Ipc-Hdbw23A0Rn-Zs	-
Dahuasecurity	Dh-Ipc-Hdbw13A0Sn Firmware	-
Dahuasecurity	Dh-Ipc-Hdbw13A0Sn	-
Dahuasecurity	Dh-Ipc-Hdw1Xxx Firmware	-
Dahuasecurity	Dh-Ipc-Hdw1Xxx	-
Dahuasecurity	Dh-Ipc-Hdw2Xxx Firmware	-
Dahuasecurity	Dh-Ipc-Hdw2Xxx	-
Dahuasecurity	Dh-Ipc-Hdw4Xxx Firmware	-
Dahuasecurity	Dh-Ipc-Hdw4Xxx	-
Dahuasecurity	Dh-Ipc-Hfw1Xxx Firmware	-
Dahuasecurity	Dh-Ipc-Hfw1Xxx	-
Dahuasecurity	Dh-Ipc-Hfw2Xxx Firmware	-
Dahuasecurity	Dh-Ipc-Hfw2Xxx	-
Dahuasecurity	Dh-Ipc-Hfw4Xxx Firmware	-
Dahuasecurity	Dh-Ipc-Hfw4Xxx	-
Dahuasecurity	Dh-Sd6Cxx Firmware	-
Dahuasecurity	Dh-Sd6Cxx	-
Dahuasecurity	Dh-Nvr1Xxx Firmware	-
Dahuasecurity	Dh-Nvr1Xxx	-

Related Weaknesses (CWE)

CWE-798 CWE-836

References

http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.phpPatchVendor Advisory
http://www.securityfocus.com/bid/98312Third Party AdvisoryVDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02MitigationThird Party AdvisoryUS Government Resource
http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.phpPatchVendor Advisory
http://www.securityfocus.com/bid/98312Third Party AdvisoryVDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02MitigationThird Party AdvisoryUS Government Resource

FAQ

What is CVE-2017-7927?

CVE-2017-7927 is a vulnerability with a CVSS score of 7.3 (HIGH). A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-...

How severe is CVE-2017-7927?

CVE-2017-7927 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-7927?

Check the references section above for vendor advisories and patch information. Affected products include: Dahuasecurity Dh-Ipc-Hdbw23A0Rn-Zs Firmware, Dahuasecurity Dh-Ipc-Hdbw23A0Rn-Zs, Dahuasecurity Dh-Ipc-Hdbw13A0Sn Firmware, Dahuasecurity Dh-Ipc-Hdbw13A0Sn, Dahuasecurity Dh-Ipc-Hdw1Xxx Firmware.