Subscriber Discussion
"Mirasys Happy With Bad Security Unless Hit With Bad Press"
As a friendly reminder to companies dealing with security: even if you don't give a crap, your customers just might. As you vehemently downplay and try to hide your failures, you're just giving the bad guys more time to act.
Case in point is Mirasys VMS, which has extremely embarrassing and serious flaws that may even compromise the entire system and the security of the areas the system is supposed to protect. It has also had these flaws for many years now, so if you haven't updated fairly recently and changed all passwords after that: too bad. Think Hikvision is bad? What if a VMS exposes all of your cameras no matter how reputable the manufacturer? Do you trust all your users?
To summarize, Mirasys VMS has had a bug/feature of transmitting almost the entire system configuration, in cleartext, from the Master server to clients every time they login, for absolutely no reason whatsoever. This - at worst - among all other information includes all credentials, including system admin accounts and all camera IPs and passwords and just about any data that was ever typed into the system. It boggles the mind how easily this can be seen, yet there's no public discussion about it. I for one suspected something like this for years but just didn't bother to check until I randomly did one day.
As of now, these bugs are supposedly fixed in certain versions and very silently indeed, as there is zero information available online about the scope and potential dangers of the flaws that might affect you. Since I haven't witnessed them disclosing any of this publicly, you may want to know that a proper fix is supposedly implemented in these versions of the three main branches, or that's what Mirasys told me at least:
- 6.4.6
- 7.5.15
- 8.1.1
Unfortunately I don't have the time, interest nor access to their downloads anymore to verify this, but maybe if you politely ask them, they may whisper to you some details if they think you're worth it.
So, out of frustration rising from their ineptitude in writing a simple security advisory so we could all patch to dodge the bullet, I'm releasing this old document with some detail about the issue so you can consider the risks yourselves, here it is:
https://www.dropbox.com/s/un43q74ie55wtpe/mirasys-vms-leak-2017.zip?dl=1
I am not a security researcher, this is just me spending my limited spare time because I think someone isn't spending their working time as they should.
Before jumping to the conclusion that linking such documents here is irresponsible on my part, let me tell you about the timeline here:
- 01 Feb 2016: Back when I still worked with administering camera surveillance and after spending a bit of time verifying my findings, I sent Mirasys an email detailing this and venting the horror of having to manage a system with such unforgivable bugs and demanding answers - it was a long email that I had to follow with another, even longer email after I got the answer "there will be security improvements in the future". After that their CEO contacted me and told that unfortunately this "risk factor" just might affect "some users" so they'll fix it soon enough.
- 06 May 2016: First 'fixed' version released, ie. doesn't continuously send all your credentials in cleartext anymore, but still exposes a lot of sensitive information. Only mention of the bug online is "Miscellaneous other issues addressed" in a single Changelog deep within Mirasys' Extranet, if you happen to have credentials for that.
- Summer 2016: Switched job to an unrelated sector of IT - much happier now
- 06 Mar 2017: After giving ample time for Mirasys to provide even a minimal security advisory about this and frustrated in their abysmal failure to do that, I wrote the document linked above and sent it directly to the Finnish Communications Regulatory Authority's National Cyber Security Centre Finland (NCSC-FI), and asked them to handle this.
- 16 May 2017: Meeting with Mirasys and a couple of NCSC's guys - they take these things seriously like everyone should. Downplay of the problem from Mirasys as usual, they believe this is no big issue as they trust network security is top-notch in "most installations", which is absolute garbage and irrelevant. They did, however, make a serious effort to fix the bugs in several branches of the software and that is the only act I can commend them for regarding this issue.
- 19-25 Jun 2017: Fixed versions supposedly released. I can't see the exact date, because soon after I submitted the document, Mirasys apparently fixed their broken Extranet so it actually requires a login now. I take their word for it.
- 04 Aug 2017: After waiting to see if they release an advisory and again being disappointed, I ask them if there is some URL where they mention the problem and which of the versions are fixed, something that I could link to people I know who need this information. I get an answer back suggesting I tell my friends to email a specific guy at Mirasys who can give them download links for the versions. I slowly start to lose patience.
- 29 Aug 2017: I ask them again if they are ever going to release a public advisory about the patches. They say they'll ask their PR and CEO and don't answer anymore. I really start to lose patience.
- 31 Aug 2017: I send them a frustrated email scolding them about their poor handling of this issue and once more try to appeal to their common sense to responsibly inform their customers and people who don't read their possibly-existing mailing lists.
- 01 Sep 2017: CEO answers me with useless rhetoric and some copy-paste goofs, claiming they do keep their partners informed about security issues. I immediately answer back, obviously frustrated and slightly furious (I apologized soon afterwards for some choices of words) and tell them that if they can't handle this themselves, I'll do it for them.
- 18 Sep 2017: With no answer from them after the last message from me, I realize I can still log in to IPVM and figure that perhaps this is not the worst place to put this information up, so that it reaches the actual users and people involved and interested in camera surveillance, without first exposing it to random internet folks who will exploit the bugs before admins have time to patch, even though it's way too late already.
All in all, Mirasys prides themselves in having an "open platform" and I honestly think their software does have some merits in flexibility. The problem is that they're not being very open as a company and perhaps too concerned with their public image and polishing turds instead of fixing long-standing core problems.
I have nearly a decade of experience administering a reasonably large-scale, distributed system with hundreds of individual users with this piece of software too and I have a fairly good sense of what they promise and how they deliver, and I wish they would just man up and never fail so hard with communication again. I sincerely hope for their sake that their latest versions don't carry a single line of code from the '90s anymore.
If you have an older version of Mirasys VMS running, just try it: fire up Wireshark, log in, and consider the implications.
EDIT: I decided to briefly try it with version 5.12.6 too, why not. No surprises there, it's broken (note, this is Windows 10):

without first exposing it to random internet folks who will exploit the bugs before admins have time to patch...
Could it be exploited by "random internet folks"?
It sounds like a local LAN vulnerability, no?
#1, thanks for sharing those details. I have forwarded to Mirasys asking them for comment / response.
We've never tested Mirasys so we can't readily comment on the technical specifics.
Do I understand correctly that you are looking for
(1) Validation that this was fixed
and
(2) Notification by Mirasys to their customers
Is that correct or?
Hi!
Mirasys does acknowledge that past software versions did have the disclosed vulnerability in older versions of our software. It has, as indicated, already been addressed in more recent versions of Mirasys VMS V6, V7 and V8 releases. Our sales and distribution channels, have access to all released software versions.
We recommend that systems are kept up to date with the latest software versions, and we also encourage that through our upgrade policies and maintenance agreements. We do point out this in product documentation as well as both sales and technical trainings delivered by us.
For deployments, we recommends that surveillance cameras are installed, when possible, in a private camera network, where the direct camera communications take place only inside the camera network to VMS servers, and is separate from the client access (“viewing”) network. This also prevents the camera streaming and signaling from being forwarded inadvertently to any external systems not part of the VMS solution. In addition, camera access from outside the private network is thus not possible. It is also a good idea to protect wide area network links with VPN (Virtual Private Networking), or other secured, connections.
In a networked, multi-server or multi-site environment, all Mirasys VMS servers and client applications can be centrally upgraded from the Mirasys management server. Please contact your local Mirasys representative for details.
Sincerely,
Interesting, may be worth to look into a bit. Thanks U1
/bashis
I edited the original post to include 5.12.6. It's vulnerable too.
Today there was a headline about a big theft at a remote storage facility of the Finnish postal service during the weekend. It apparently was the biggest postal theft ever in Finland, amounting to more than a million euros worth of brand new smartphones. This piqued my interest a bit, because while this is pure amused speculation with minimal information, it was a "funny" coincidence and I couldn't help but notice a few details about this:
- They at least used to be customers of Mirasys (http://www.coba.fi/files/5_Mirasys.pdf, page 29), and perhaps still use their system
- For some reason, it seems the cameras didn't work at the time: the police are asking the public for any clues of cars or people in the area at the time
- The police has said the criminals had somehow "avoided the alarm systems in a way that allowed them to take their time"
- They do have cameras there as can be seen on Google Maps
- It looks like an obvious inside job, the culprits spent hours there on two consecutive nights and it's rather odd that it seems there's no footage of what happened (reading between the lines, not explicitly mentioned for now)
Whether or not this has any relevance to the VMS or other software there doesn't really matter that much, but it feels quite like a typical "low risk, high reward" scenario where I imagined someone could exploit this hole to make their job easier, or to hide their tracks.
Still, just speculation.
Link to the longest article I found about it, in Finnish. Google's translate doesn't handle Finnish very well but you can try
P.S. I did inform the police about this just in case, since they asked for any clues and eyewitnesses.
(Edit: made proper links)
There is now an "umbrella" CVE for this, from which individual ones may be crafted as required. I didn't bother.
Good to hear, and also that FD once again bring things where it should be.
I have some of this SW in my possession, but unfortunately I had no time yet to look into this deeper...
/bashis
Newest Discussions
| Discussion | Posts | Latest |
|---|---|---|
|
Started by
Undisclosed Integrator #1
|
4
|
less than a minute by John Honovich |
|
Started by
Undisclosed Manufacturer #1
|
10
|
less than a minute by Undisclosed Manufacturer #1 |
|
Started by
John Honovich
|
1
|
less than a minute by John Honovich |
|
Started by
Cole Agner
|
1
|
5 minutes by Cole Agner |
|
Started by
John Honovich
|
8
|
about 9 hours by Undisclosed Manufacturer #3 |