Claimed Security Vulnerability in Axis, Aimetis and Milestone VMSes

Author: John Honovich, Published on Nov 09, 2015

A Swedish research firm has claimed to discover a 'critical vulnerability' in major VMS software platforms including Axis (ACS), Aimetis and Milestone.

* ******* ******** **** *** ******* ** ******** * '******** vulnerability' ** ***** *** ******** ********* ********* **** (***), ******* and *********.

[***************]

*** ****,***** ********, ****** * ******, ********* ** **** *** ******** ** ********** *****.

*** ******* ** *** ***** **** ******* ** ******* ** HTTPS, ***** ** ******* ** **** ************ ****. ***** **** do *** *** ***** ***** ** ******* ** **** **** regardless.

**** ***** *******, * ***** ************ **** ***** ********** ****** that ****** *********** ***** *** ** ******** / ***********. *******, Total ******** ****** **** ***** ***** *** *********** ** *******,******:

"**** *** ************ ** ********* *** ******* ******* *** ******* and *** *** ***** ***** ** ******* ** **** ************** downgrade ****** ** *** *** *** ** ******* *********** *** HTTP ***** ************** ******* ** **** ****** **************.

**** *** ******** ******* *** *** ****** ** ** ********* the ************** ******** *** **** *** ******** **** * *********** is ** *** **** ***** *****."

***** ******** **** **** ******* ***** *** ******* ***** ** susceptible ** **** *** **** *** ******* ** ****** ****.

[******: ******* ******* * *** *** **** *******, ***** ** detail ** *** ******** *****.]

******* ** *** **** ** ********, ***** ************* **** *** use ***** **** ***** ******, **** **** ** *** * widespread ******* (****** *** ***** ***** *** **** **** ** a ******* ** ******).

*** ** *** ******* ******** *** * **** ******* **** one ************ ***** ** ********* ****/*** ****** ********** ** ******** ***** ****** ******* ****. *******, ***** ******** checked, ********** **** ********* "**** *** ******** **** *** ****** ** ** ********** ** is * ****** ****** ****** ** ************."

******* **** ** ***** ** ****** *** ********* ************ ** assess.

Comments (18)

Undisclosed 1 Integrator

| 11/09/15 04:38pm

***** **** ** ******, *** *******'* ** ********* ** ** such * *** *** ****'* ***** * *** **** *** internet, * **** ********** ** **** *** ******** ***.

Undisclosed 2

In reply to Undisclosed 1 Integrator | 11/09/15 05:02pm

**** ******* ******* ***** ** ****** ** *** (*)***.

John Honovich

IPVM Admin | In reply to Undisclosed 2 | 11/09/15 05:10pm

****'* *** ** *** ****** **** ***** ******, ** ** exploited ***** ** * ****** ****** ** ** **. **** if ** ***** ** ****, ***** ** ***** ** ** done ********** ** * **** ******** ****, *** *********** ** it ***** **** ** ***** ***.

Undisclosed 2

In reply to John Honovich | 11/09/15 05:17pm

****, ***** *** *** ******* **** ** *************** ** ** found. *** ****** ******** ** ***** *** ******* **** ********* fixing ****, *** ********** ** *** ** ****.

Undisclosed 5

In reply to John Honovich | 11/09/15 08:48pm

*** ***** **** ** *** ********* ****** ******* *********** *******, they *** *********** *********** ** * **** ****** ** **** ( ** *** *** *** ******** ****** ** *** **** and/or ******* ***** *** **** ** **** ** ********* ********* traffic **** ** *** ***** *******).

Undisclosed 4 End User

In reply to Undisclosed 1 Integrator | 11/09/15 05:27pm

*** ********** ********** **** **** ********* ** ****:

- **** **** ****** ** **** ********* ******

- *** ****** ** ********* ********** **** *** ********

**** ********** ***** ***** ******* **** ** ****** *** ***** if **** ** * ****** ******* (**** **** ***). ** an ****** ** **** ** ****** - ******* ******* ** isolated **** ****** *** * ******** (*** ******* ** ******** based) ******** ** ********* (***-******) ********, **** ***** ** ** potential *** ******** ****** **** ******.

**** ****** ******** ****** ******** - ******* ** *** *******'* expect **** *** ****** *** **** ** ********* **** ******** over ***** **** ** ******.

Undisclosed 2

In reply to Undisclosed 4 End User | 11/09/15 06:08pm

...******* ** *** *******'* ****** **** *** ****** *** **** in ********* **** ******** **** ***** **** ** ******.

****** **** ** ******* ** ******** ** **** ***, ** is ********** ** **** *******, ** ***** ********** ****** ** secure, **?

Undisclosed 3 Manufacturer

| 11/09/15 05:24pm

**** ******* ***** *** ** ******* ****** **************, ** ******* to ******** ******/***** ** **** ** *********. * ***** *** trick, ** **** *** *** ***** ** **** * ******* to ******* *** ** ****** **************, *** ** **** *** connectin ********* - ** ** ******'* **** **** **** ** basic **************.

***** ***.** *** ** ********* *** ******* * *********** *** the ****** ** ***** ** ** ** *** ******* *** then *** ** ***** **. **** ***** **** ****** * 3rd ***** ***'* ******** **** *** ************...

Undisclosed 2

In reply to Undisclosed 3 Manufacturer | 11/09/15 05:37pm

* ***** *** *****, ** **** *** *** ***** ** have * ******* ** ******* *** ** ****** **************, *** to **** *** ********* ********* - ** ** ******'* **** back **** ** ***** **************.

***** **** **** ************ ********* *** ******, ****** ****** ** digest. *** *** ******* ******* ****** (**** ***!), *** ***** is ** **** ****** *'* ***** ** **** **** *** know **'* *******, ** ********* **.

***** *** * ****** ********* ****** ** ****** **** *** there, ** **** ** * ****** ******** **, **'* *** guaranteed *** *** *** *** **. *** **** **** ****, for * ***** ***, *** ** ****?

Justin Schorn

| 11/09/15 06:40pm

*’* *** ******* ******* *** ******* ******** ***.

***** *** ******** ************* ********* ** ********* * ******* ***** and ******** ****** ** *** *** ** ***** *** *** and ******* *** *********, *******’ ****** ****** **** (**-**), ******** last ****, ********* **** *****. ******* **-** *** *** ************ Release ***** *** ********* **** ************** *** ** *** ************ *** *********. **** **** ****** prevents ********* ******* ********* ***** ** *********** *** **** ************** downgrade.

******* ***** *** ********* ******** ****** ********* *** ***** **** these ******* ** * ********* *** *********** ******. ** ******** to ********* **** ******** *****, ******* ************** ************ *** ******* **** ******* ************ *** ***** ********** ***** with ********* ******* *******. ** **** *********** ****** *** ******* certified ************ *** ********* ******** ***** *** ******** ******** ********** of *** ****** *** **** *** **.

John Honovich

IPVM Admin | In reply to Justin Schorn | 11/09/15 08:55pm

******, ******. *'** ******* *** **** ****** ****.

Undisclosed 2

| 11/10/15 06:16am

**** ** * **** *********** *** ***** ********* *.* ** shine **** *********!

*** ****** ** ******** *****?

John Honovich

IPVM Admin | 11/11/15 08:43am

******* ******** * ********* **** ******** ******* ** **** *****:

  • ******** - ************ ***** ************** *** *** **** *** **** protocol
    **** ******* ******** *** ** ********** ***** ************** *** *** HTTP *** **** ********* ** ******* ******* ********** ******** (***) spoofing ******* ******* *** ******** *** * ******.
  • ******** - ************ ***** ************** *** ***** *************
    **** ******* ******** *** ** ********** ***** ************** **** ** HTTPS ********** **** ** ***** **** *** * ******.

Ryan Twitchell

| 11/11/15 06:13pm

**** ** **** ********* ** ***** ***** ** *******:*****://***.**********.***/****/***-**-***-******-***-***-********-*********-******

* ******** **** **** *** *****'* ******** *** ***** ************** as * *** ** ******* **** *** *****.

**;**: ** *** **** ** ********* ********** (********* *****) ** otherwise *** ******* ************ ** **** **** *******, ***** ************** can ** * **** *****. ** *** *** ***** **** HTTP *** *** ******* **** ******* ******* *********, **** ****** authentication***** *** *** ** **.

**** ** ** *** ** **** ****** ******** ** ********* (and ***** ** ****** ** ********* * ****** **** ******) and *** *** ** ********** ** *** ********:

****** ************** *** * ***** *******. *** ** *** ****** authentication *****, ** ********* ******** *** ****** ** ***** **** password ** **** ** ***** ** ************ ***. ***** **************, however, ****** *** ****** ** **** **** * **** (* "fingerprint") ** *** ********. ******* **** *** **** ***** ** more ********* *** ****** ********* *** ****** (** ******) ** discover **** ********. *** ******* **** ***** *** ***** ******** (like *** **** ****** **** ** ****) **** **** **** available ** ****** *** ***** ****** ** *** ******. ***** passwords *** ****** * ***, **** **** ** ****** *** have * ****** ******.

***, ***** **** ***** **** ******** **** *** ****. *** kind ** ********** *** ******* ********* ***********, *** ************ **** HTTPS *** *** *** ******** ** ******* **** *********** **** used ********, *** **** **** ** ** **** **** ***** vulnerabilities.

* ****** **** ** ****** ********** ********* ** ******* **** right *** (** *** ********), *** ****** ********** ****** ** able ** ******* **** **** * ****** ********.

Undisclosed 2

In reply to Ryan Twitchell | 11/11/15 06:42pm

*** ******* **** ***** *** ***** ******** (**** *** **** digest **** ** ****) **** **** **** ********* ** ****** who ***** ****** ** *** ******. ***** ********* *** ****** a ***, **** **** ** ****** *** **** * ****** impact.

******* ***'* **** ** ***** *** ***** ******** ** ******. The ****, *****, ******** ****, ***, *** ****** *******. **** way ** ***'* ** ****** ******* ** *** *****.

Ryan Twitchell

| 11/16/15 01:48pm

* *** ******* ***** ** **** *** ********, *** * quick **** ** *** *** ***** **** *** *** ******* for **** *****. ** **** ** ******* ********** *** *** to ***** ******* ****** ************** **** ** ***** ********* **** basic ************** ** *** ****** ** ** *******.

* ***** *** ***** **** ***** *******, ****** ** ******* that ****** **** ******* ************ ** *** *** *********. * do *** ******* ******* * ******** ***** ** *** *** digest ** ********** **** ** ****** *****, *** ** ******** in ********* ******* ******* *** ************. *** ********* ** **** digest **************, * ****** ***** ***** ********* **** *** **** algorithm (**** ** ******) *** ** **** ** *** ***** auth.

Undisclosed 2

In reply to Ryan Twitchell | 11/16/15 08:00pm

* ***** *** ***** **** ***** *******, ****** ** ******* that ****** **** ******* ************ ** *** *** *********. * do *** ******* ******* * ******** ***** ** *** *** digest ** ********** **** ** ****** *****, *** ** ******** in ********* ******* ******* *** ************.

* ***** *** ****** **** ***** ******* ****** ** ******* that **** ****** ************** **** *** ****** ** ********* **********:

** **** ** ************* *** ****[**] *** ******** ** ****** the ******** ************** ** *** *** ****-***. *** ****-*** *** RFC ********** **** - ******** *** ******** ** *** *** hash ******** ****** ** ******** *********** - *** ********* ***** " ******* ** ****-*** ** *** **** ** ******** * practical ************* **** **** ** * ******* ************** ****." -****

John Honovich

IPVM Admin | 11/17/15 12:52pm

****: ********* ******** **** *** ***** ** **** *****, ** are ******** * ********. *** ***** **** **** ***** ******* sooner ** **** ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on VMS

Hiring Spree At Aimetis 6 Months After Being Acquired on Sep 28, 2016
Aimetis was acquired in April 2016, and is now expanding almost all of their departments, hiring employees from Axis and other industry...
Axis Secretly Paid Anixter Sales People To Push Axis NVRs on Sep 26, 2016
Internal Axis communication shows how Axis paid Anixter and Tri-Ed sales people with secret bonuses to push Axis NVRs. In this report, we examine...
Milestone Ends Development of "Enterprise" VMS on Sep 22, 2016
Milestone 'Enterprise' was one of the first enterprise video management software offerings, selected by many early adopters of IP video. However,...
History of Video Surveillance on Sep 22, 2016
This is a concise history of video surveillance covering the past decade.  The goal is to help professionals newer to the industry understand...
Tagged RFID Object Search Recorded Video on Sep 20, 2016
Video analytics has gotten fairly good at tagging people in video, but it does not solve the problem of finding items like specific merchandise or...
Milestone Kills Go, Slashes Express Pricing, Launches Enhanced Version Free on Sep 12, 2016
Milestone is shaking up the industry again with enhanced free software and a major price drop. 6 years ago, Milestone launched their first free...
Axis / Canon Launch 20MP Avigilon Rival on Sep 12, 2016
For years, Avigilon has essentially owned the 'super high resolution' single imager market. And Axis has resisted, most famously in 2012, when...
OpenEye Launches Own Cloud VMS on Sep 07, 2016
OpenEye has been shipping security recording solutions since 2001, yet has remained mostly behind the scenes, OEMing their solution to more...
Pelco Optera 270° Camera Tested on Sep 06, 2016
Multi-imager cameras are typically 180° or 360°. Pelco has released a fixed 270° versions of their Optera intended to cover exterior building...
Lenel Partners Angry, Lenel Does Not Care on Sep 01, 2016
Even more than Arecont, one manufacturer stands out for consistent complaints - Lenel. Over the past few years, no manufacturer has had more...

Most Recent Industry Reports

Camio Natural Language Processing Tested on Sep 27, 2016
The ex-Googler led team from Camio has advanced its video monitoring offering to include natural language processing. Camio ingests video,...
Hacked Dahua Cameras Drive Massive Cyber Attack on Sep 27, 2016
Cyber attacks are accelerating and IP cameras are behind many of them. Worse, last week, a 'massive' attack was carried out using numerous Dahua...
Axis Secretly Paid Anixter Sales People To Push Axis NVRs on Sep 26, 2016
Internal Axis communication shows how Axis paid Anixter and Tri-Ed sales people with secret bonuses to push Axis NVRs. In this report, we examine...
VLANs for Video Surveillance on Sep 26, 2016
Many people confidently say to 'use VLANs' as an answer to IP video networking problems and as a way to signal expertise. But how should VLANs be...
Ambarella CEO Admits H.265 and 4K Not Popular on Sep 26, 2016
Ambarella is the main chip provider for high-end surveillance cameras driving higher resolution and new CODECs. While Ambarella has been pushing...
Nest Cam Outdoor Tested on Sep 23, 2016
After years of claiming an outdoor model was "coming", addressing their biggest user demand, Nest has finally released their Outdoor Camera, an...
ACTi Refuses Race To The Bottom, Shifts To Solutions on Sep 23, 2016
The original low cost IP camera disruptor was ACTi. Back in the 2008 - 2010 time frame, Taiwanese manufacturer ACTi challenged the Western and...
You Get Robbed, Canary Will Pay You Up To $1,000 on Sep 22, 2016
Canary is trying to break the status quo in DIY security, first by raising over $40 million, and now a revamp of their monthly services package...
Milestone Ends Development of "Enterprise" VMS on Sep 22, 2016
Milestone 'Enterprise' was one of the first enterprise video management software offerings, selected by many early adopters of IP video. However,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact