As a friendly reminder to companies dealing with security: even if you don't give a crap, your customers just might. As you vehemently downplay and try to hide your failures, you're just giving the bad guys more time to act.
Case in point is Mirasys VMS, which has extremely embarrassing and serious flaws that may even compromise the entire system and the security of the areas the system is supposed to protect. It has also had these flaws for many years now, so if you haven't updated fairly recently and changed all passwords after that: too bad. Think Hikvision is bad? What if a VMS exposes all of your cameras no matter how reputable the manufacturer? Do you trust all your users?
To summarize, Mirasys VMS has had a bug/feature of transmitting almost the entire system configuration, in cleartext, from the Master server to clients every time they login, for absolutely no reason whatsoever. This - at worst - among all other information includes all credentials, including system admin accounts and all camera IPs and passwords and just about any data that was ever typed into the system. It boggles the mind how easily this can be seen, yet there's no public discussion about it. I for one suspected something like this for years but just didn't bother to check until I randomly did one day.
As of now, these bugs are supposedly fixed in certain versions and very silently indeed, as there is zero information available online about the scope and potential dangers of the flaws that might affect you. Since I haven't witnessed them disclosing any of this publicly, you may want to know that a proper fix is supposedly implemented in these versions of the three main branches, or that's what Mirasys told me at least:
- 6.4.6
- 7.5.15
- 8.1.1
Unfortunately I don't have the time, interest nor access to their downloads anymore to verify this, but maybe if you politely ask them, they may whisper to you some details if they think you're worth it.
So, out of frustration rising from their ineptitude in writing a simple security advisory so we could all patch to dodge the bullet, I'm releasing this old document with some detail about the issue so you can consider the risks yourselves, here it is:
https://www.dropbox.com/s/un43q74ie55wtpe/mirasys-vms-leak-2017.zip?dl=1
I am not a security researcher, this is just me spending my limited spare time because I think someone isn't spending their working time as they should.
Before jumping to the conclusion that linking such documents here is irresponsible on my part, let me tell you about the timeline here:
- 01 Feb 2016: Back when I still worked with administering camera surveillance and after spending a bit of time verifying my findings, I sent Mirasys an email detailing this and venting the horror of having to manage a system with such unforgivable bugs and demanding answers - it was a long email that I had to follow with another, even longer email after I got the answer "there will be security improvements in the future". After that their CEO contacted me and told that unfortunately this "risk factor" just might affect "some users" so they'll fix it soon enough.
- 06 May 2016: First 'fixed' version released, ie. doesn't continuously send all your credentials in cleartext anymore, but still exposes a lot of sensitive information. Only mention of the bug online is "Miscellaneous other issues addressed" in a single Changelog deep within Mirasys' Extranet, if you happen to have credentials for that.
- Summer 2016: Switched job to an unrelated sector of IT - much happier now
- 06 Mar 2017: After giving ample time for Mirasys to provide even a minimal security advisory about this and frustrated in their abysmal failure to do that, I wrote the document linked above and sent it directly to the Finnish Communications Regulatory Authority's National Cyber Security Centre Finland (NCSC-FI), and asked them to handle this.
- 16 May 2017: Meeting with Mirasys and a couple of NCSC's guys - they take these things seriously like everyone should. Downplay of the problem from Mirasys as usual, they believe this is no big issue as they trust network security is top-notch in "most installations", which is absolute garbage and irrelevant. They did, however, make a serious effort to fix the bugs in several branches of the software and that is the only act I can commend them for regarding this issue.
- 19-25 Jun 2017: Fixed versions supposedly released. I can't see the exact date, because soon after I submitted the document, Mirasys apparently fixed their broken Extranet so it actually requires a login now. I take their word for it.
- 04 Aug 2017: After waiting to see if they release an advisory and again being disappointed, I ask them if there is some URL where they mention the problem and which of the versions are fixed, something that I could link to people I know who need this information. I get an answer back suggesting I tell my friends to email a specific guy at Mirasys who can give them download links for the versions. I slowly start to lose patience.
- 29 Aug 2017: I ask them again if they are ever going to release a public advisory about the patches. They say they'll ask their PR and CEO and don't answer anymore. I really start to lose patience.
- 31 Aug 2017: I send them a frustrated email scolding them about their poor handling of this issue and once more try to appeal to their common sense to responsibly inform their customers and people who don't read their possibly-existing mailing lists.
- 01 Sep 2017: CEO answers me with useless rhetoric and some copy-paste goofs, claiming they do keep their partners informed about security issues. I immediately answer back, obviously frustrated and slightly furious (I apologized soon afterwards for some choices of words) and tell them that if they can't handle this themselves, I'll do it for them.
- 18 Sep 2017: With no answer from them after the last message from me, I realize I can still log in to IPVM and figure that perhaps this is not the worst place to put this information up, so that it reaches the actual users and people involved and interested in camera surveillance, without first exposing it to random internet folks who will exploit the bugs before admins have time to patch, even though it's way too late already.
All in all, Mirasys prides themselves in having an "open platform" and I honestly think their software does have some merits in flexibility. The problem is that they're not being very open as a company and perhaps too concerned with their public image and polishing turds instead of fixing long-standing core problems.
I have nearly a decade of experience administering a reasonably large-scale, distributed system with hundreds of individual users with this piece of software too and I have a fairly good sense of what they promise and how they deliver, and I wish they would just man up and never fail so hard with communication again. I sincerely hope for their sake that their latest versions don't carry a single line of code from the '90s anymore.
If you have an older version of Mirasys VMS running, just try it: fire up Wireshark, log in, and consider the implications.
EDIT: I decided to briefly try it with version 5.12.6 too, why not. No surprises there, it's broken (note, this is Windows 10):