*** ****, ***** ********, issued * ****** [**** no ****** *********], ********* to **** *** ******** us ********** *****.
*** ******* ** *** VMSes **** ******* ** cameras ** *****, ***** we ******* ** **** infrequently ****. ***** **** do *** *** ***** would ** ******* ** this **** **********.
**** ***** *******, * video ************ **** ***** rightfully ****** **** ****** credentials ***** *** ** accessed / ***********. *******, Total ******** ****** **** these ***** *** *********** be *******, ****** [**** no ****** *********]:
"**** *** ************ ** diverting *** ******* ******* the ******* *** *** VMS ***** ***** ** perform ** **** ************** downgrade ****** ** *** the *** ** ******* credentials *** **** ***** authentication ******* ** **** Digest **************.
**** *** ******** ******* the *** ****** ** to ********* *** ************** protocol *** **** *** validate **** * *********** is ** *** **** using *****."
***** ******** **** **** believe ***** *** ******* might ** *********** ** this *** **** *** working ** ****** ****.
[******: ******* ******* * fix *** **** *******, noted ** ****** ** the ******** *****.]
******* ** *** **** is ********, ***** ************* very *** *** ***** with ***** ******, **** hack ** *** * widespread ******* (****** *** using ***** *** **** well ** * ******* in ******).
*** ** *** ******* recently *** * **** showing **** *** ***** ******* ***** ** ********* Rtsp/Rtp ****** ***** ***** ** ******** ***** defend ******* ****. *******, Total ******** *******, ********** that ********* "**** *** ******** **** the ****** ** ** connecting ** ** * camera ****** ****** ** authenticate."
******* **** ** ***** is ****** *** ********* capabilities ** ******.
Comments (18)
Undisclosed Integrator #1
Comes down to design, You shouldn't be designing it in such a way you aren't using A VPN over the internet, A vlan internally or your own security lan.
Create New Topic
Undisclosed Manufacturer #3
Some cameras allow you to require digest authentication, as opposed to allowing digest/basic to both be available. I think the trick, is that the VMS needs to have a setting to require SSL or digest authentication, and to fail the connectin otherwise - so it couldn't then back down to basic authentication.
Using 802.1x and IP filtering can require a certificate for the device to allow it on to the network and then who it talks to. This could then ensure a 3rd party isn't inserted into the conversation...
Create New Topic
Miriam Rautiainen
I’m the Product Manager for Aimetis Symphony VMS.
While the security vulnerability described is primarily a network issue and requires access to the LAN on which the VMS and cameras are operating, Aimetis’ latest Device Pack (DP-35), released last week, addresses this issue. Aimetis DP-35 and the accompanying Release Notes are available free for download for all of our distributors and resellers. This free update prevents potential attacks described above by disallowing the HTTP authentication downgrade.
Aimetis takes all potential security issues seriously and deals with these matters in a proactive and transparent nature. In addition to providing free software fixes, Aimetis issues Security Advisories on its website that provide instructions for issue resolution along with technical support details. We also immediately notify all Aimetis certified distributors and resellers globally about the Security Advisory regardless of how remote the risk may be.
Create New Topic
Undisclosed #2
This is a good oppurtunity for ONSSI Occularis 5.0 to shine over Milestone!
Did SeeTec do security right?
Create New Topic
John Honovich
Genetec released 2 knowledge base articles related to this topic:
This article explains how to deactivate basic authentication for the HTTP and RTSP protocols to prevent Address Resolution Protocol (ARP) spoofing attacks between the Archiver and a camera.
This article explains how to reactivate basic authentication when an HTTPS connection type is being used for a camera.
Create New Topic
Ryan Twitchell
Easy to read breakdown on these types of attacks: https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack
I actually want play the devil's advocate for basic authentication as I see it getting some bad press.
TL;DR: if you have an encrypted connection (including HTTPS) or otherwise can prevent interception of your HTTP streams, basic authentication can be a good thing. If you are using only HTTP and are sending data through hostile territory, then digest authentication may be the way to go.
This is as far as HTTP server security is concerned (and every IP camera is basically a little HTTP server) and may not be applicable in all contexts:
Digest authentication has a minor problem. Due to how digest authentication works, it typically requires the server to store your password on disk in order to authenticate you. Basic authentication, however, allows the server to keep only a hash (a "fingerprint") of the password. Storing only the hash makes it more difficult for anyone accessing the server (or camera) to discover your password. But servers that store the whole password (like any time digest auth is used) make this data available to anyone who gains access to the server. Since passwords get reused a lot, this kind of breach can have a bigger impact.
Yes, basic auth sends your password over the wire. Any kind of connection can involve sensitive information, and technologies like HTTPS and TLS are designed to protect this information when used properly, and when kept up to date with known vulnerabilities.
I cannot find an easily digestible reference to support this right now (no pun intended), but anyone interested should be able to confirm this with a little research.
Create New Topic
Ryan Twitchell
I was writing based on some old memories, but a quick read of the RFC shows that you are correct for some cases. My goal in posting previously was not to argue against digest authentication only to raise awareness that basic authentication is not always to be shunned.
I would not argue this point further, except to mention that digest auth depends specifically on the MD5 algorithm. I do not believe storing a password based on its MD5 digest is considered safe in recent years, due to advances in collision attacks against MD5 specifically. Not depending on HTTP digest authentication, a server could store passwords with any hash algorithm (such as bcrypt) and be able to use basic auth.
Create New Topic
John Honovich
Note: Milestone confirms they are aware of this issue, we are awaiting a response. One would hope they would respond sooner to such concerns.
Create New Topic