Subscriber Discussion

A Commendable, Proactive Cybersecurity Alert....?

UM
Undisclosed Manufacturer #1
Apr 25, 2018

Just got an email from Milestone about a potential vulnerability in their products. We don't use Milestone regularly but have done some work with it in the past, so I guess that is how I got on the email list. This is the first I have heard of this alert as i don't remember seeing it on IPVM (my primary industry news source!).

So is this really a proactive effort on Milestone's part to disclose an issue and provide a fix?

I was happy to see at ISC West one of the speakers addressing pretty extensively the issue of and challenges to addressing cyber security with the rise of IoT.

 

Excerpt

===================

Dear xxxxxxxxx,

 This email contains information about a potential security vulnerability in XProtect Corporate, Expert, Professional+, Express+ and Essential+.

With input from MWR InfoSecurity, a cybersecurity consultancy, we have identified a certain component used by the products listed above, that in certain setups where a set of specific ports are open, can be exploited to achieve elevated user rights and/or interrupt user's access to the system.

Ensuring the security and integrity of all Milestone installations has always been a top priority to us, and we decided to address this issue immediately by releasing a security patch that mitigates this vulnerability.

Affected products

All version of XProtect Corporate, Expert, Professional+, Express+ and Essential+.

Recommended step for mitigation

You can mitigate this issue in two ways:

  1. By patching the installation using the security patch. Patches are available for versions 2018 R1, 2017 R3, 2017 R2, 2017 R1, 2016 R3, 2016 R2, 2016 R1. Access the patches here

NOTE: installations running versions older than 2016 R1 must be upgraded to version 2016 R1 or later before installing the patch.

  1. By upgrading the installation to the 2018 R2 version of the products available June 7, where the mitigation of this issue has been already built into the product.

Access the installation files here

NOTE: all the above installation files already include the patch.

If you have questions or are in doubt about the recommended actions:

                CONTACT SUPPORT

JH
John Honovich
Apr 25, 2018
IPVM

Yes, that is a proactive attempt. They also called me last night to explain.

Right now, we are working on a post for a new more serious Hikvision vulnerability that has not been disclosed to partners yet, see here for researcher's disclosure.

We will circle back around to the Milestone one.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions