Lucene search

[email protected]CVE-2017-6342

HistoryFeb 27, 2017 - 7:59 a.m.

CVE-2017-6342

2017-02-2707:59:00

CWE-269

[email protected]

web.nvd.nist.gov

dahua

dhi-hcvr7216a-s3

nvr

camera firmware

smartpss software

cve-2017-6342

automatic login

admin

sensitive information

vulnerability

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.4 Medium

AI Score

Confidence

High

0.958 High

EPSS

Percentile

99.5%

JSON

An issue was discovered on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06-06, Camera Firmware 2.400.0000.28.R 2016-03-29, and SmartPSS Software 1.16.1 2017-01-19. When SmartPSS Software is launched, while on the login screen, the software in the background automatically logs in as admin. This allows sniffing sensitive information identified in CVE-2017-6341 without prior knowledge of the password. This is a different vulnerability than CVE-2013-6117.

Affected configurations

NVD

Node

dahuasecuritycamera_firmwareMatch2.400.0000.28.r

dahuasecuritynvr_firmwareMatch3.210.0001.10

dahuasecuritysmartpss_firmwareMatch1.16.1

AND

dahuasecuritydhi-hcvr7216a-s3Match-

CPENameOperatorVersion
dahuasecurity:camera_firmwaredahuasecurity camera firmwareeq2.400.0000.28.r
dahuasecurity:nvr_firmwaredahuasecurity nvr firmwareeq3.210.0001.10
dahuasecurity:smartpss_firmwaredahuasecurity smartpss firmwareeq1.16.1

CPE	Name	Operator	Version
dahuasecurity:camera_firmware	dahuasecurity camera firmware	eq	2.400.0000.28.r
dahuasecurity:nvr_firmware	dahuasecurity nvr firmware	eq	3.210.0001.10
dahuasecurity:smartpss_firmware	dahuasecurity smartpss firmware	eq	1.16.1