CVE-2019-3948
First published: Mon Jul 29 2019(Updated: )
The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and DH-IPC-HX863X V2.622.0000000.7.R, Dahua DH-SD4XXXXX V2.623.0000000.7.R, Dahua DH-SD5XXXXX V2.623.0000000.1.R, Dahua DH-SD6XXXXX V2.640.0000000.2.R and V2.623.0000000.1.R, Dahua NVR5XX-4KS2 V3.216.0000006.0.R, Dahua NVR4XXX-4KS2 V3.216.0000006.0.R, and NVR2XXX-4KS2 do not require authentication to access the HTTP endpoint /videotalk. An unauthenticated, remote person can connect to this endpoint and potentionally listen to the audio of the capturing device.
Credit: vulnreport@tenable.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Amcrest IP2M-841 | =2.520.ac00.18.r | |
| Amcrest IP2M-841B Firmware | ||
| Dahua DH-IPC-HX863X | <2018-05-18 | |
| Dahua DH-IPC-HX883X | <2018-05-18 | |
| Dahua DH-SD4XXXXX | <2018-05-18 | |
| Dahua Security DH-SD5xxxxx | <2018-05-18 | |
| Dahuasecurity DH-SD6XXXXX | <2018-05-18 | |
| Dahua IPC-HX4X3X | <2018-05-18 | |
| Dahua IPC-HX5XXX | <2018-05-18 | |
| Dahua IPC-XXBXX | <2018-05-18 | |
| Dahua NVR2xxx-4KS2 | <2018-05-18 | |
| Dahua NVR4XXX-4KS2 | <2018-05-18 | |
| Dahua Technology NVR 5xxx Firmware | <2018-05-18 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/153813/Amcrest-Cameras-2.520.AC00.18.R-Unauthenticated-Audio-Streaming.html
- https://us.dahuasecurity.com/wp-content/uploads/2019/08/Cybersecurity_2019-08-02.pdf
- https://www.dahuasecurity.com/support/cybersecurity/details/627?us
- https://www.tenable.com/security/research/tra-2019-36
Frequently Asked Questions
What is CVE-2019-3948?
CVE-2019-3948 is a vulnerability in the Amcrest IP2M-841B, Dahua IPC-XXBXX, Dahua IPC HX5X3X, and other Dahua devices, which allows unauthenticated audio streaming.
What is the severity of CVE-2019-3948?
CVE-2019-3948 has a severity score of 7.5 (High).
Which software versions are affected by CVE-2019-3948?
Amcrest IP2M-841B firmware version 2.520.ac00.18.r and various versions of Dahua IPC-XXBXX, Dahua IPC HX5X3X, Dahua DH-IPC HX883X, Dahua DH-IPC-HX863X, Dahua DH-SD4XXXXX, Dahua DH-SD5XXXXX, Dahua DH-SD6XXXXX.
How can I fix CVE-2019-3948?
To fix CVE-2019-3948, users should update their affected devices to the latest firmware version provided by Amcrest or Dahua.
Where can I find more information about CVE-2019-3948?
More information about CVE-2019-3948 can be found in the references provided: http://packetstormsecurity.com/files/153813/Amcrest-Cameras-2.520.AC00.18.R-Unauthenticated-Audio-Streaming.html, https://us.dahuasecurity.com/wp-content/uploads/2019/08/Cybersecurity_2019-08-02.pdf, and https://www.dahuasecurity.com/support/cybersecurity/details/627?us
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/amcrest
- canonical/amcrest ip2m-841
- version/amcrest ip2m-841/2.520.ac00.18.r
- canonical/amcrest ip2m-841b firmware
- vendor/dahua
- canonical/dahua dh-ipc-hx863x
- canonical/dahua dh-ipc-hx883x
- canonical/dahua dh-sd4xxxxx
- canonical/dahua security dh-sd5xxxxx
- canonical/dahuasecurity dh-sd6xxxxx
- canonical/dahua ipc-hx4x3x
- canonical/dahua ipc-hx5xxx
- canonical/dahua ipc-xxbxx
- canonical/dahua nvr2xxx-4ks2
- canonical/dahua nvr4xxx-4ks2
- canonical/dahua technology nvr 5xxx firmware