Just got an email from Milestone about a potential vulnerability in their products. We don't use Milestone regularly but have done some work with it in the past, so I guess that is how I got on the email list. This is the first I have heard of this alert as i don't remember seeing it on IPVM (my primary industry news source!).
So is this really a proactive effort on Milestone's part to disclose an issue and provide a fix?
I was happy to see at ISC West one of the speakers addressing pretty extensively the issue of and challenges to addressing cyber security with the rise of IoT.
Excerpt
===================
Dear xxxxxxxxx,
This email contains information about a potential security vulnerability in XProtect Corporate, Expert, Professional+, Express+ and Essential+.
With input from MWR InfoSecurity, a cybersecurity consultancy, we have identified a certain component used by the products listed above, that in certain setups where a set of specific ports are open, can be exploited to achieve elevated user rights and/or interrupt user's access to the system.
Ensuring the security and integrity of all Milestone installations has always been a top priority to us, and we decided to address this issue immediately by releasing a security patch that mitigates this vulnerability.
Affected products
All version of XProtect Corporate, Expert, Professional+, Express+ and Essential+.
Recommended step for mitigation
You can mitigate this issue in two ways:
- By patching the installation using the security patch. Patches are available for versions 2018 R1, 2017 R3, 2017 R2, 2017 R1, 2016 R3, 2016 R2, 2016 R1. Access the patches here
NOTE: installations running versions older than 2016 R1 must be upgraded to version 2016 R1 or later before installing the patch.
- By upgrading the installation to the 2018 R2 version of the products available June 7, where the mitigation of this issue has been already built into the product.
Access the installation files here
NOTE: all the above installation files already include the patch.
If you have questions or are in doubt about the recommended actions:
CONTACT SUPPORT