Port 37777 vulnerability

[patric]

Was this ever addressed or fixed?
"Tenable has discovered a couple of vulnerabilities in the port 37777 interface found on a variety of Amcrest/Dahua IP camera and NVR devices."
https://www.tenable.com/security/research/tra-2020-20

[Revo2Maxx]

If you have a A2 or newer FW on your DVR/NVR or IP cameras, then that don't matter at the bottom of that page it shows Amcrest fixed the issue with release of FW for effected Devices. I will admit that there are still some online that are using older FW and I have said many times in the past Last thing anyone should be doing is leaving the DVR/NVR connected to internet directly. The devices should be connected using P2P and sure that can have issues of its own but there are things that are needed for that to happen. 1 If you don't know the SN there is nothing that will ever say that the SN entered is right or wrong so it isn't like someone could just setup something to test a bunch of number letter combos to try and come up with your SN, second if they had the number right they would next need to guess your password and so on.. With a Connected computer to the Internet there is no guess work, It shows IP so next you can try to go to the second part of the task password..

[patric]

I'd still never enable P2P because it bypasses passwords, and a hacker can brute-force random SN to harvest random cameras until they find something interesting. Its sort of like Russian Roulette.

[Revo2Maxx]

What? P2P don't bypass passwords. I don't know where you came up with that idea but that isn't True... Would love to see you make a connection to any of my 2019 FW or newer cameras over P2P without knowing the password. Also the user of the Device can change the amount of times someone can try to connect before your account gets locked to the device. That is even Over P2P I would be more then happy to have you try and hack my Amcrest camera.. I just removed it from my AVP and added it back using a wrong password and after 3 tries now my cell phone is locked out and will be until the timer runs out (5min) or the camera is rebooted.. So there is very little chance to have someone guess my password. I will admit that not happy about the 5min of wait time. As I think it used to be longer.. However to be really safe or kind of safe use a POE NVR and POE cameras connected to the POE ports, This can be setup longer like for some of mine I have them setup 5 tries sadly no lower count can be setup on my NVR's and i have it setup to lock out for 90 min. So that is much better then the 5 min in my 2022 AI Amcrest camera that does only get 3 tries. Don't know how long you would keep trying. Then there are some devices that even have Brute Force Tracking in the security and if it detects something like that it will Black list the IP so not sure where the Bypasses Passwords came from but someone isn't telling the truth..

[Revo2Maxx]

I think what you might be thinking about is ONVIF security settings where someone can turn off the required Password setup to test that the device could connect to a recorder from another company if using a different password. However that is over a local connection and isn't something someone should be messing with while the device is connected directly to the internet to start with..