Pierluigi Paganini August 22, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2021-33044 Dahua IP Camera Authentication Bypass Vulnerability
• CVE-2021-33045 Dahua IP Camera Authentication Bypass Vulnerability
• CVE-2022-0185 Linux Kernel Heap-Based Buffer Overflow
• CVE-2021-31196 Microsoft Exchange Server Information Disclosure Vulnerability

In October 2021, experts warned of the availability of proof of concept (PoC) exploit code for a couple of authentication bypass vulnerabilities in Dahua cameras, respectively tracked as CVE-2021-33044 and CVE-2021-33045. 

A remote attacker can exploit both vulnerabilities by sending specially crafted data packets to the vulnerable cameras.

“The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.” reads the advisory published by the vendor in early September.

The flaw received a CVSS v3 score of 8.1, the vendor recommended its customers to install security updates.

The list of affected models is very long, it includes IPC-X3XXX,HX5XXX, HUM7XX, VTO75X95X, VTO65XXX, VTH542XH, PTZ Dome Camera SD1A1, SD22, SD49, SD50, SD52C, SD6AL, Thermal TPC-BF1241, TPC-BF2221, TPC-SD2221, TPC-BF5XXX, TPC-SD8X21, TPC-PT8X21B, NVR1XXX, NVR2XXX, NVR4XXX, NVR5XXX, NVR6XX.

It could be quite easy for threat actors in the wild to find exposed Dahua devices using a search engine like Shodan and attempt to hack them using the available PoC code. In order to protect Dahua devices, users have to install the latest firmware version.

The vulnerability CVE-2022-0185 is a Linux kernel issue that China-linked threat actors have exploited in attacks in the wild.

The vulnerability is a heap-based buffer overflow flaw that resides in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.

CVE-2021-31196 is a remote code execution (RCE) flaw in Microsoft Exchange Server. The vulnerability specifically affects the way Microsoft Exchange Server handles objects in memory. An attacker who successfully exploited this vulnerability could gain the ability to execute code with the same privileges as the affected Exchange Server service account. Microsoft released patches to address this vulnerability as part of their security updates in May 2021.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by September 11, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)