Subscriber Discussion

"Mirasys Happy With Bad Security Unless Hit With Bad Press"

As a friendly reminder to companies dealing with security: even if you don't give a crap, your customers just might. As you vehemently downplay and try to hide your failures, you're just giving the bad guys more time to act.

Case in point is Mirasys VMS, which has extremely embarrassing and serious flaws that may even compromise the entire system and the security of the areas the system is supposed to protect. It has also had these flaws for many years now, so if you haven't updated fairly recently and changed all passwords after that: too bad. Think Hikvision is bad? What if a VMS exposes all of your cameras no matter how reputable the manufacturer? Do you trust all your users?

To summarize, Mirasys VMS has had a bug/feature of transmitting almost the entire system configuration, in cleartext, from the Master server to clients every time they login, for absolutely no reason whatsoever. This - at worst - among all other information includes all credentials, including system admin accounts and all camera IPs and passwords and just about any data that was ever typed into the system. It boggles the mind how easily this can be seen, yet there's no public discussion about it. I for one suspected something like this for years but just didn't bother to check until I randomly did one day.

As of now, these bugs are supposedly fixed in certain versions and very silently indeed, as there is zero information available online about the scope and potential dangers of the flaws that might affect you. Since I haven't witnessed them disclosing any of this publicly, you may want to know that a proper fix is supposedly implemented in these versions of the three main branches, or that's what Mirasys told me at least:

- 6.4.6
- 7.5.15
- 8.1.1

Unfortunately I don't have the time, interest nor access to their downloads anymore to verify this, but maybe if you politely ask them, they may whisper to you some details if they think you're worth it.

So, out of frustration rising from their ineptitude in writing a simple security advisory so we could all patch to dodge the bullet, I'm releasing this old document with some detail about the issue so you can consider the risks yourselves, here it is:

https://www.dropbox.com/s/un43q74ie55wtpe/mirasys-vms-leak-2017.zip?dl=1

I am not a security researcher, this is just me spending my limited spare time because I think someone isn't spending their working time as they should.

Before jumping to the conclusion that linking such documents here is irresponsible on my part, let me tell you about the timeline here:

  • 01 Feb 2016: Back when I still worked with administering camera surveillance and after spending a bit of time verifying my findings, I sent Mirasys an email detailing this and venting the horror of having to manage a system with such unforgivable bugs and demanding answers - it was a long email that I had to follow with another, even longer email after I got the answer "there will be security improvements in the future". After that their CEO contacted me and told that unfortunately this "risk factor" just might affect "some users" so they'll fix it soon enough.
  • 06 May 2016: First 'fixed' version released, ie. doesn't continuously send all your credentials in cleartext anymore, but still exposes a lot of sensitive information. Only mention of the bug online is "Miscellaneous other issues addressed" in a single Changelog deep within Mirasys' Extranet, if you happen to have credentials for that.
  • Summer 2016: Switched job to an unrelated sector of IT - much happier now
  • 06 Mar 2017: After giving ample time for Mirasys to provide even a minimal security advisory about this and frustrated in their abysmal failure to do that, I wrote the document linked above and sent it directly to the Finnish Communications Regulatory Authority's National Cyber Security Centre Finland (NCSC-FI), and asked them to handle this.
  • 16 May 2017: Meeting with Mirasys and a couple of NCSC's guys - they take these things seriously like everyone should. Downplay of the problem from Mirasys as usual, they believe this is no big issue as they trust network security is top-notch in "most installations", which is absolute garbage and irrelevant.  They did, however, make a serious effort to fix the bugs in several branches of the software and that is the only act I can commend them for regarding this issue.
  • 19-25 Jun 2017: Fixed versions supposedly released. I can't see the exact date, because soon after I submitted the document, Mirasys apparently fixed their broken Extranet so it actually requires a login now. I take their word for it.
  • 04 Aug 2017: After waiting to see if they release an advisory and again being disappointed, I ask them if there is some URL where they mention the problem and which of the versions are fixed, something that I could link to people I know who need this information. I get an answer back suggesting I tell my friends to email a specific guy at Mirasys who can give them download links for the versions. I slowly start to lose patience.
  • 29 Aug 2017: I ask them again if they are ever going to release a public advisory about the patches. They say they'll ask their PR and CEO and don't answer anymore. I really start to lose patience.
  • 31 Aug 2017: I send them a frustrated email scolding them about their poor handling of this issue and once more try to appeal to their common sense to responsibly inform their customers and people who don't read their possibly-existing mailing lists.
  • 01 Sep 2017: CEO answers me with useless rhetoric and some copy-paste goofs, claiming they do keep their partners informed about security issues. I immediately answer back, obviously frustrated and slightly furious (I apologized soon afterwards for some choices of words) and tell them that if they can't handle this themselves, I'll do it for them.
  • 18 Sep 2017: With no answer from them after the last message from me, I realize I can still log in to IPVM and figure that perhaps this is not the worst place to put this information up, so that it reaches the actual users and people involved and interested in camera surveillance, without first exposing it to random internet folks who will exploit the bugs before admins have time to patch, even though it's way too late already.


All in all, Mirasys prides themselves in having an "open platform" and I honestly think their software does have some merits in flexibility. The problem is that they're not being very open as a company and perhaps too concerned with their public image and polishing turds instead of fixing long-standing core problems.

I have nearly a decade of experience administering a reasonably large-scale, distributed system with hundreds of individual users with this piece of software too and I have a fairly good sense of what they promise and how they deliver, and I wish they would just man up and never fail so hard with communication again. I sincerely hope for their sake that their latest versions don't carry a single line of code from the '90s anymore.

If you have an older version of Mirasys VMS running, just try it: fire up Wireshark, log in, and consider the implications.

EDIT: I decided to briefly try it with version 5.12.6 too, why not. No surprises there, it's broken (note, this is Windows 10):

DVMS 5.12.6

Agree
Disagree
Informative: 1
Unhelpful
Funny

without first exposing it to random internet folks who will exploit the bugs before admins have time to patch...

Could it be exploited by "random internet folks"?  

It sounds like a local LAN vulnerability, no?

Agree
Disagree
Informative
Unhelpful
Funny

Random internet folks also work as security guards, janitors etc. that frequent locations where this software is used. All they need to know is that such a flaw exists.

Agree
Disagree
Informative
Unhelpful
Funny

Random internet folks also work as security guards, janitors etc. that frequent locations where this software is used.  All they need to know is that such a flaw exists.

Having to work for the company makes them specific people not random people.

And a janitor that could exploit the bug "before admins have time to patch it" just by knowing "such a flaw exists", should consider a new line of work.

 

Agree
Disagree
Informative
Unhelpful
Funny

Consider corporations or the public sector for example: they may not hire the guards themselves, they have a contract with a big security service provider. Their people then come and go and may spend just a few nights in a location until someone else takes their place. They just get to use the software while they're there to keep an eye on things. I never knew any of them.

While it may sound far-fetched now, if you imagine a country where a cleaner gets, let's say, a $200 monthly wage, would they be willing to plug a thingy in someone's computer or network port while cleaning their desk for $50? No one will notice, they don't need to know what it's for, and that's all it takes.

It could also just be a disturbed employee making a few extra bucks with data removal services for their friends who want to rob some facility. They'll blame the admin for messing up the recording schedule and the admin won't know what happened.

There are many scenarios where this kind of thing is Bad and it's also why you don't give your users Domain Admin privilege by default for example.

Agree
Disagree
Informative
Unhelpful
Funny

There are many scenarios where this kind of thing is Bad...

No doubt.

My only objection was the use of the phrase "exposing it to random internet folks" for a LAN vulnerability.

Agree
Disagree
Informative
Unhelpful
Funny

It was a bad choice of words on my part - I was mostly referring to putting this up on Reddit or so, not that the average system can be attacked via public networks.

Agree
Disagree
Informative
Unhelpful
Funny

#1, thanks for sharing those details. I have forwarded to Mirasys asking them for comment / response.

We've never tested Mirasys so we can't readily comment on the technical specifics.

Do I understand correctly that you are looking for

(1) Validation that this was fixed

and

(2) Notification by Mirasys to their customers

Is that correct or?

Agree
Disagree
Informative
Unhelpful
Funny

Personally I believe this particular problem is likely to be fixed now, but it would certainly be interesting to have their software audited by some whitehats to find out if there are other reasons for concern. There are many factors to consider in these systems and software is just one of them.

I would have been quite happy with a simple, public and linkable bulletin from them that says "Fixed problem where passwords may be exposed, affecting versions X-Y, users are advised to update", nothing more, nothing less, but since they opted for less, I felt I needed to balance that with more. I wanted closure for this so I could just forget about it and never see a vulnerable version in the wild again.

I'm looking mostly for them to give a list of all versions that are affected - also old ones that are likely still in use somewhere, perhaps in your local nuclear plant - and not just bury the whole motivation to update said systems before they are turned into botnets.

Agree
Disagree
Informative
Unhelpful
Funny

Hi!

Mirasys does acknowledge that past software versions did have the disclosed vulnerability in older versions of our software. It has, as indicated, already been addressed in more recent versions of Mirasys VMS V6, V7 and V8 releases. Our sales and distribution channels, have access to all released software versions.

We recommend that systems are kept up to date with the latest software versions, and we also encourage that through our upgrade policies and maintenance agreements. We do point out this in product documentation as well as both sales and technical trainings delivered by us.

For deployments, we recommends that surveillance cameras are installed, when possible, in a private camera network, where the direct camera communications take place only inside the camera network to VMS servers, and is separate from the client access (“viewing”) network. This also prevents the camera streaming and signaling from being forwarded inadvertently to any external systems not part of the VMS solution. In addition, camera access from outside the private network is thus not possible. It is also a good idea to protect wide area network links with VPN (Virtual Private Networking), or other secured, connections.

In a networked, multi-server or multi-site environment, all Mirasys VMS servers and client applications can be centrally upgraded from the Mirasys management server. Please contact your local Mirasys representative for details.

Sincerely,

Agree
Disagree
Informative
Unhelpful
Funny: 2

Mirasys does acknowledge that past software versions did have the disclosed vulnerability in older versions of our software.

So: does the vulnerability affect all previous versions, ie. also DVMS 4.x/5.x that, contrary to your belief, are still deployed in the real world? This question requires an answer.

Also, please give your estimate on how many systems with more than a hundred cameras are actually currently up-to-date? My guess is 15% at most.

Recommending keeping up to date is obviously good, but whether users update or not depends on factors other than just your recommendations. For example, if the update incurs costs - obviously time and effort but possibly hardware replacement, extra training, unforeseen problems and potentially additional licensing costs when updating to a new major version - it may simply be skipped unless there is some very compelling reason to update that can be leveraged to get the extra budget needed.

For deployments, we recommends that surveillance cameras are installed, when possible, in a private camera network

That's likely everyone's recommendation, but sadly doesn't solve this problem as I have told you time and time again yet you don't seem to grasp the concept. Even if the client computer cannot network-wise reach the cameras themselves, gaining administrator access to the Master server allows tampering with every relevant part of the system regardless of network segmentation.

There are likely other attack vectors to consider here. For example, if the client software could be used to update firmware of the cameras, what would stop a malicious person from updating a camera with modified firmware that transforms it into a bot node within the camera network, wreaking havoc with the captured credentials? Sure, it might even take a whole weekend to implement.

Also, the percentage of users that have the possibility, skill and resources to adhere to every recommendation is likely much, much lower than you hope and with 100% certainty someone, somewhere has their server connected to a wireless network even. Those installations are beyond help, of course.

In addition, camera access from outside the private network is thus not possible

Yes it is. The malicious person simply uses their newly acquired admin credentials to have the VMS itself do their bidding. The point of the VMS is just that: allow management of the entire system with a single login - even if you couldn't trivially reach the web interface of each individual camera directly, you can simply disable the cameras or make a mess of the configuration and that is what matters.

In a networked, multi-server or multi-site environment, all Mirasys VMS servers and client applications can be centrally upgraded from the Mirasys management server

One just needs to hope it's the actual admin that applies the supposedly legit update.

Thanks for participating in this discussion, I look forward to your further comments.

Agree
Disagree
Informative
Unhelpful
Funny

ie. also DVMS 4.x/5.x that, contrary to your belief, are still deployed in the real world?

If someone is still running these versions they are running on a pc/server that is Windows XP or older a version that Microsoft no longer support as MR. Backstrom said update the software it has the fix. If a customer won't keep the software up to date then its the customer who is careless about security, not the VMS.

Agree: 1
Disagree: 1
Informative
Unhelpful
Funny

So you are essentially saying that if this was Microsoft and Windows Active Directory had stored everything in plain text and exposed all of it in casual network traffic in all versions prior to Windows 10 including Domain Admin credentials, directly to a typical unprivileged user to sniff and would let you mess with the domain in any way you want, it would not be news worthy and - if they neglected to disclose it - not a case for a class action lawsuit that they would lose?

Because those poor sods didn't upgrade instantly within a couple of days of release of the new version with a new price to pay, it's okay to not tell them? "Thank you for choosing Windows 10! Did you know that for the past 14 years, your computer has been vulnerable and likely has been exploited! But don't worry, the Start Menu is Back, Baby!" Nah, Microsoft actually has learned this stuff and is not that irresponsible.

Even if they were running XP, the vulnerability here concerns the VMS software. Surely it helps if they're running legacy stuff all over, but it's beside the point.

Let me reiterate my point in all of this, because I feel all of it is not obvious to everyone:

  • Those who have a support contract might have heard about this (very unlikely that it was worded in the proper way - this is business), and might have even updated. Although they probably were told that they're safe nevertheless, because bad guys are never insiders and a networking gimmick XYZ will save them and Hikasys is committed to security and blabla-di-blab.
  • They can probably run DVMS 4.x on Windows 10 too, if it matters to you. If someone can advocate a broken camera because it's cheap, do you see why someone would simply not pay for upgrade licenses, especially when the vendor can't provide any alluring new features and is silent about the security fixes that are the main point of the upgrade? I forget how much the stuff exactly costs but the cost of the license for one channel is perhaps about the same as the price of a new, affordable IP camera. In any case a semi-large installation may prepare for a quote between $0 and $200,000 when they update. Even if your hospital would pay, the remote ICBM storage might trust their old system more and keep on running it (*insert funny but true anecdote about artillery targeting systems running on Windows 3.x*).
  • That said, it's quite likely some of you are still paying your groceries at a counter running XP's embedded PoS version, so...
  • Those without a support contract, who are still running their old system because all their cameras still work or are easy to replace, and who don't want to pay for upgrade licenses for the new version because the old version still works for them, have not heard about this and cannot know unless they explicitly or accidentally noticed the security issue here themselves, because Mirasys has not publicly disclosed this for apparently anyone - they have a restricted Extranet with possibly a mention of this in the Changelogs, but I have not witnessed any of them myself. It is simply insufficient and I seriously doubt even the paying customers are informed well enough, because I actually called one of their biggest partners and a smaller one to check this, and they hadn't heard at least. The smaller partner was quite cynical though.
  • This particular software is designed to cater to large and critical environments - the city of Bangkok with 20,000 or so cameras relies on it, I'm told, and it still amazes me they chose it - but whenever there is a complex, multi-site, geographically wide area to cover with a single system, it is not entirely trivial to choose a system and update it, even if the cost wasn't an issue. It's uplifting though that there are a few others on this forum who actually understand the issues with large environments.
  • They themselves list some customer sectors such as "banks, casinos, city surveillance, educational, institutes, facilities, buildings and areas, hotels, ports, retail, sports and entertainment". I can guarantee that less than 100% percent of those systems are up-to-date, and I have also seen vulnerable systems quite recently. I also seem to recall they boasted with military contracts at some point but I have a hard time finding them now... hmm. Well, I guess they just switched the software and didn't just keep using their old license.
  • Patching this problem is critical for everyone who hasn't updated since May 2016, and absolutely required for anyone who hasn't updated in the last two months - if you didn't read the original document, let me summarize that even if admin credentials aren't leaking after the May 2016 update, a lot of the other information is, which is unacceptable for critical environments.

I welcome Mirasys to correct me in all of this, it has been a week already. At least now if someone Googles "mirasys security", after a couple of clicks they find this article. They used to find nothing.

Agree
Disagree
Informative
Unhelpful
Funny

Interesting, may be worth to look into a bit. Thanks U1

/bashis

 

Agree: 1
Disagree
Informative
Unhelpful
Funny

Uh oh ;)

Agree
Disagree
Informative
Unhelpful
Funny

Btw, bashis. Since the systems communicate unencrypted, I entertained the thought that one might be able to pull off pretty "funny"/lulzworthy UI gimmicks too by modifying the traffic. Maybe something interesting there also, if you have the time.

Agree
Disagree
Informative
Unhelpful
Funny

I edited the original post to include 5.12.6. It's vulnerable too.

Agree
Disagree
Informative
Unhelpful
Funny

Today there was a headline about a big theft at a remote storage facility of the Finnish postal service during the weekend. It apparently was the biggest postal theft ever in Finland, amounting to more than a million euros worth of brand new smartphones. This piqued my interest a bit, because while this is pure amused speculation with minimal information, it was a "funny" coincidence and I couldn't help but notice a few details about this:

  1. They at least used to be customers of Mirasys (http://www.coba.fi/files/5_Mirasys.pdf, page 29), and perhaps still use their system
  2. For some reason, it seems the cameras didn't work at the time: the police are asking the public for any clues of cars or people in the area at the time
  3. The police has said the criminals had somehow "avoided the alarm systems in a way that allowed them to take their time"
  4. They do have cameras there as can be seen on Google Maps
  5. It looks like an obvious inside job, the culprits spent hours there on two consecutive nights and it's rather odd that it seems there's no footage of what happened (reading between the lines, not explicitly mentioned for now)

Whether or not this has any relevance to the VMS or other software there doesn't really matter that much, but it feels quite like a typical "low risk, high reward" scenario where I imagined someone could exploit this hole to make their job easier, or to hide their tracks.

Still, just speculation.

Link to the longest article I found about it, in Finnish. Google's translate doesn't handle Finnish very well but you can try

P.S. I did inform the police about this just in case, since they asked for any clues and eyewitnesses.

(Edit: made proper links)

Agree
Disagree
Informative: 1
Unhelpful
Funny

There is now an "umbrella" CVE for this, from which individual ones may be crafted as required. I didn't bother.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Good to hear, and also that FD once again bring things where it should be.

I have some of this SW in my possession, but unfortunately I had no time yet to look into this deeper...

/bashis

Agree: 1
Disagree
Informative
Unhelpful
Funny