Dahua facial recognition access camera vulnerable, says CISA

The US Cybersecurity and Infrastructure Security Agency is warning of a slew of security vulnerabilities in a facial recognition access controller from Chinese vendor Dahua.

The company is already listed by the FCC as posing an “unacceptable risk” to America’s national security.

In its advisory, CISA says Dahua has “not responded to requests to work with [it] to mitigate these vulnerabilities.”

The Dahua ASI7213X-T1 facial recognition access controller is subject to five vulnerabilities, the most serious of which has a Common Vulnerability Scoring System rating of 8.1.

CVE-2022-2335 (CVSS score 5.7) is a flaw in the device’s Web server, which “does not properly validate input, which may cause a denial-of-service condition on the device.”

In CVE-2022-2337 (CVSS score 7.1), the unit has a feature allowing the owner to upload files while the device is in standby.

This is meant to support things like promotional images or videos, but an attacker could also “upload unvalidated files that are different than a picture or a video, such as an executable file.”

CVE-2022-2334 leaves the device vulnerable to a ‘pass the hash’ attack, allowing an attacker “to sniff the authentication process and access the device without needing a password. This is the vulnerability that attracted the CVSS score of 8.1.

CVE-2022-2338 (CVSS score 7.5) is an information exposure vulnerability: “When an unknown username is entered, the web server will then return a valid user in an error message. This could allow an attacker to gain valid username values for the device to use in authentication attacks.”

Finally, the device fails to restrict access attempts in CVE-2022-2336 (CVSS score 7.5). This leaves it vulnerable to password spraying and credential stuffing.

CISA notes that the vulnerabilities are exploitable remotely with low complexity.

Dahua has multiple distributors in Australia.