CVE-2021-33046

Q: What is the severity of CVE-2021-33046?

CVE-2021-33046 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to reset passwords on Dahua devices through improper access control in the password reset process. It affects Dahua products with specific deployments, potentially enabling unauthorized access to security cameras and other IoT devices. Organizations using vulnerable Dahua equipment are at risk.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to reset passwords on Dahua devices through improper access control in the password reset process. It affects Dahua products with specific deployments, potentially enabling unauthorized access to security cameras and other IoT devices. Organizations using vulnerable Dahua equipment are at risk.

💻 Affected Systems

Products:

Dahua IP cameras
Dahua NVRs
Dahua DVRs
Dahua access control systems

Versions: Multiple firmware versions prior to fixes

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in specific deployment configurations; all devices with affected firmware should be considered vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Dahua devices allowing attackers to take control of security cameras, disable monitoring, access video feeds, and pivot to internal networks.

🟠

Likely Case

Unauthorized access to Dahua devices enabling surveillance bypass, data exfiltration, and potential device manipulation.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH - Devices exposed to internet are directly exploitable without authentication.

🏢 Internal Only: MEDIUM - Requires internal network access but still exploitable by malicious insiders or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to vulnerable devices but no authentication; simple HTTP requests can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware updates released by Dahua (specific versions vary by product)

Vendor Advisory: https://support.dahuatech.com/networkSecurity/securityDetails?id=95

Restart Required: Yes

Instructions:

1. Identify affected Dahua devices. 2. Download latest firmware from Dahua support portal. 3. Backup device configuration. 4. Apply firmware update via web interface. 5. Verify update completion and functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Dahua devices from internet and restrict access to trusted networks only

Access Control Lists

linux

Implement firewall rules to restrict access to Dahua device management interfaces

iptables -A INPUT -s TRUSTED_NETWORK -p tcp --dport 80,443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80,443 -j DROP

🧯 If You Can't Patch

Remove internet-facing exposure by placing devices behind VPN or bastion host
Implement strict network segmentation and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against Dahua security advisory; test password reset functionality from unauthorized networks

Check Version:

Login to Dahua web interface and navigate to System > Information > Version

Verify Fix Applied:

Verify firmware version matches patched release; test password reset functionality fails from unauthorized sources

📡 Detection & Monitoring

Log Indicators:

Multiple failed password reset attempts
Successful password resets from unexpected IPs
Authentication logs showing account takeover

Network Indicators:

HTTP POST requests to password reset endpoints from unauthorized sources
Unusual traffic patterns to Dahua management ports

SIEM Query:

source="dahua" AND (event_type="password_reset" OR uri_path="/cgi-bin/magicBox.cgi")

📊 Metadata

CVE ID: CVE-2021-33046

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: January 13, 2022

Last Updated: November 21, 2024

🔗 References

https://support.dahuatech.com/networkSecurity/securityDetails?id=95 Vendor Advisory
https://www.dahuasecurity.com/support/cybersecurity/details/957 Not Applicable
https://www.dahuasecurity.com/support/cybersecurity/details/987 Vendor Advisory
https://support.dahuatech.com/networkSecurity/securityDetails?id=95 Vendor Advisory
https://www.dahuasecurity.com/support/cybersecurity/details/957 Not Applicable
https://www.dahuasecurity.com/support/cybersecurity/details/987 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Asc2204c Firmware by Dahuasecurity

Hcvr7xxx Firmware by Dahuasecurity

Hcvr8xxx Firmware by Dahuasecurity

Ipc Hx1xxx Firmware by Dahuasecurity

Ipc Hx2xxx Firmware by Dahuasecurity

Ipc Hx3xxx Firmware by Dahuasecurity

Ipc Hx5\(4\)\(3\)xxx Firmware by Dahuasecurity

Ipc Hx5xxx Firmware by Dahuasecurity

Nvr1xxx Firmware by Dahuasecurity

Nvr2xxx Firmware by Dahuasecurity

Nvr4xxx Firmware by Dahuasecurity

Nvr5xxx Firmware by Dahuasecurity

Sd1a1 Firmware by Dahuasecurity

Sd22 Firmware by Dahuasecurity

Sd49 Firmware by Dahuasecurity

Sd50 Firmware by Dahuasecurity

Sd52c Firmware by Dahuasecurity

Sd6al Firmware by Dahuasecurity

Tpc Bf1241 Firmware by Dahuasecurity

Tpc Bf2221 Firmware by Dahuasecurity

Tpc Bf5x01 Firmware by Dahuasecurity

Tpc Pt8x21x Firmware by Dahuasecurity

Tpc Sd2221 Firmware by Dahuasecurity

Tpc Sd8x21 Firmware by Dahuasecurity

Vtox20xf Firmware by Dahuasecurity

Xvr4xxx Firmware by Dahuasecurity

Xvr5xxx Firmware by Dahuasecurity

Xvr7xxx Firmware by Dahuasecurity