Subscriber Discussion

I Have To Give Milestone A Lot Of Credit For This.

UI
Undisclosed Integrator #1
May 23, 2017

 This email in my inbox today explains itself (pasted below), got to be the first manufacturer that has come out and been the first to acknowledge a potential problem that they made.

*****************************************************************************************************

 

This email contains information about a potential security vulnerability related to customers who have enabled remote access via the mobile server on XProtect Go, Essential and Express.

To make our entry-level VMS easier to use, we initially designed the installation/upgrade process in a way that added a default basic user with a default password. This practice potentially allows unauthorized people to access camera feeds if the user is not deleted or password changed after the installation/upgrade process.

In a recent security policy review, and with input from an APAC community partner, we have decided to address and change this practice immediately. Ensuring the security and integrity of all Milestone installations will always remain a top priority to us and this practice does not adhere to our cybersecurity standards.
 

Affected products

  • No versions of Expert or Corporate are affected.
  • None of the Husky NVRs are affected.
  • XProtect Professional and XProtect Enterprise only if upgraded from the entry-level VMS listed below.
  • XProtect Express 1.0a to 2017 R1
  • XProtect Essential 2.0a to 2017 R1
  • XProtect Go all versions (all discontinued)


We recommend taking action as described below

  1. Check to see if any of your customers are running on any of the affected product versions:  
    To do so, log in to the Customer Dashboard, navigate to Software Registration, select Customers and Licenses and click the License tab to search for affected products in order to identify the customers that potentially have this issue.
     
  2. Check for the vulnerability on your customer´s installation:
    Open the "XProtect Management Application" and navigate to "Users".  If user “admin” with User Type Basic is present, the issue could be present.
     
  3. SOLVE the issue in your customer’s installation:
    You can mitigate the issue in two ways:
  • Through update: Update the installation to the 2017 R2 version of the products available June 8. None of the XProtect 2017 R2 products will have this issue.
  • Instantly: Right-click on the user “admin” and select either "Delete User" or "Properties --> User Information" to change the password.

If you have questions or are in doubt about the recommended actions:
 
 

CONTACT SUPPORT

(3)
(1)
JH
John Honovich
May 23, 2017
IPVM

#1, thanks for sharing. We had a briefing with Milestone just a short while ago. We plan a full post tomorrow but the letter is pretty clear explaining what it is.

Avatar
Armando Perez
May 24, 2017
Hoosier Security and Security Owners Group • IPVMU Certified

And THAT is how you get in front of something ladies and gents.

(4)
UI
Undisclosed Integrator #2
May 24, 2017

I agree, Milestone has always been quite professional.  This is an example of how to notify integrators of a security risk properly.

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions