CVE-2021-33044
Published: 15 September 2021
Summary
CVE-2021-33044 is a critical-severity Improper Authentication (CWE-287) vulnerability in Dahuasecurity Ipc-Hum7Xxx Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Deeper analysis
CVE-2021-33044 is an identity authentication bypass vulnerability affecting some Dahua products during the login process and is tracked under CWE-287. It carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker can exploit the flaw remotely by constructing and sending malicious data packets that bypass device identity authentication, resulting in full impact to confidentiality, integrity, and availability of the affected device.
Dahua has published an advisory at https://www.dahuasecurity.com/support/cybersecurity/details/957. Public technical details and proof-of-concept material have also been posted to Packet Storm Security and the Seclists Full Disclosure mailing list.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-19759
Vulnerability details
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
- CWE(s)
- KEV Date Added
- 21 August 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication requirements before allowing access, blocking the malicious-packet bypass of the login process.
Requires cryptographic or strong device identification and authentication, directly addressing the device-identity bypass flaw.
Mandates secure remote-access mechanisms and authentication, limiting the network vector used to send the crafted login packets.