Claimed Security Vulnerability in Axis, Aimetis and Milestone VMSes

By: John Honovich, Published on Nov 09, 2015

A Swedish research firm has claimed to discover a 'critical vulnerability' in major VMS software platforms including Axis (ACS), Aimetis and Milestone.

* ******* ******** **** has ******* ** ******** a '******** *************' ** major *** ******** ********* including **** (***), ******* and *********.

[***************]

*** ****, ***** ********, issued * ****** [**** no ****** *********], ********* to **** *** ******** us ********** *****.

*** ******* ** *** VMSes **** ******* ** cameras ** *****, ***** we ******* ** **** infrequently ****. ***** **** do *** *** ***** would ** ******* ** this **** **********.

**** ***** *******, * video ************ **** ***** rightfully ****** **** ****** credentials ***** *** ** accessed / ***********. *******, Total ******** ****** **** these ***** *** *********** be *******, ****** [**** no ****** *********]:

"**** *** ************ ** diverting *** ******* ******* the ******* *** *** VMS ***** ***** ** perform ** **** ************** downgrade ****** ** *** the *** ** ******* credentials *** **** ***** authentication ******* ** **** Digest **************.

**** *** ******** ******* the *** ****** ** to ********* *** ************** protocol *** **** *** validate **** * *********** is ** *** **** using *****."

***** ******** **** **** believe ***** *** ******* might ** *********** ** this *** **** *** working ** ****** ****.

[******: ******* ******* * fix *** **** *******, noted ** ****** ** the ******** *****.]

******* ** *** **** is ********, ***** ************* very *** *** ***** with ***** ******, **** hack ** *** * widespread ******* (****** *** using ***** *** **** well ** * ******* in ******). 

*** ** *** ******* recently *** * **** showing **** *** ***** ******* ***** ** ********* Rtsp/Rtp ****** ***** ***** ** ******** ***** defend ******* ****. *******, Total ******** *******, ********** that ********* "**** *** ******** **** the ****** ** ** connecting ** ** * camera ****** ****** ** authenticate."

******* **** ** ***** is ****** *** ********* capabilities ** ******.

Comments (18)

Undisclosed Integrator #1

11/09/15 04:38pm

Comes down to design, You shouldn't be designing it in such a way you aren't using A VPN over the internet, A vlan internally or your own security lan.

Undisclosed #2

IPVMU Certified | In reply to Undisclosed Integrator #1 | 11/09/15 05:02pm

This exploit assumes there is access to the (V)LAN.

John Honovich

IPVM | In reply to Undisclosed #2 | 11/09/15 05:10pm

That's one of the issues with these issues, to be exploited there is a narrow avenue to do so. Even if it could be done, since it needs to be done physically in a very specific spot, the probability of it being used is quite low.

Undisclosed #2

IPVMU Certified | In reply to John Honovich | 11/09/15 05:17pm

IMHO, these are the perfect type of vulnerabilities to be found. Bad enough sounding to force the vendors into hopefully fixing them, but infeasible to use by most.

Undisclosed #5

In reply to John Honovich | 11/09/15 08:48pm

And since none of the platforms likely support certificate pinning, they are essentially susceptible to a MITM attack as well ( if you can get physical access to the VLAN and/or network there are lots of ways to intercept encrypted traffic that is not fully secured).

Undisclosed End User #4

In reply to Undisclosed Integrator #1 | 11/09/15 05:27pm

The predicated assumption with that statement is that:

- They have access to your encrypted tunnel

- The tunnel is generally accessible over the internet

Both statements being false ensures that no access can occur if this is a closed network (even over VPN). If an airgap is used in design - premise network is isolated from access via a physical (not virtual or software based) firewall on different (non-routed) networks, then there is no potential for exposure unless from within.

Good design precedes secure networks - without it you shouldn't expect that any system you have in operation that operates over HTTPS will be secure.

Undisclosed #2

IPVMU Certified | In reply to Undisclosed End User #4 | 11/09/15 06:08pm

...without it you shouldn't expect that any system you have in operation that operates over HTTPS will be secure.

Though even if someone is directly on your LAN, as is predicated in this exploit, an HTTPS connection should be secure, no?

Undisclosed Manufacturer #3

11/09/15 05:24pm

Some cameras allow you to require digest authentication, as opposed to allowing digest/basic to both be available. I think the trick, is that the VMS needs to have a setting to require SSL or digest authentication, and to fail the connectin otherwise - so it couldn't then back down to basic authentication.

Using 802.1x and IP filtering can require a certificate for the device to allow it on to the network and then who it talks to. This could then ensure a 3rd party isn't inserted into the conversation...

Undisclosed #2

IPVMU Certified | In reply to Undisclosed Manufacturer #3 | 11/09/15 05:37pm

I think the trick, is that the VMS needs to have a setting to require SSL or digest authentication, and to fail the connectin otherwise - so it couldn't then back down to basic authentication.

Maybe even once successfully connected via digest, always insist on digest. Not all cameras support digest (even now!), but there is no good reason I'm aware of that once you know it's capable, to downgrade it.

There are a couple different favors of digest auth out there, so even if a camera supports it, it's not guaranteed the VMS can use it. But once they have, for a given MAC, why go back?

Miriam Rautiainen

11/09/15 06:40pm

I’m the Product Manager for Aimetis Symphony VMS.

While the security vulnerability described is primarily a network issue and requires access to the LAN on which the VMS and cameras are operating, Aimetis’ latest Device Pack (DP-35), released last week, addresses this issue. Aimetis DP-35 and the accompanying Release Notes are available free for download for all of our distributors and resellers. This free update prevents potential attacks described above by disallowing the HTTP authentication downgrade.

Aimetis takes all potential security issues seriously and deals with these matters in a proactive and transparent nature. In addition to providing free software fixes, Aimetis issues Security Advisories on its website that provide instructions for issue resolution along with technical support details. We also immediately notify all Aimetis certified distributors and resellers globally about the Security Advisory regardless of how remote the risk may be.

John Honovich

IPVM | In reply to Miriam Rautiainen | 11/09/15 08:55pm

Justin, thanks. I've updated the post noting that.

Undisclosed #2

IPVMU Certified | 11/10/15 06:16am

This is a good oppurtunity for ONSSI Occularis 5.0 to shine over Milestone!

Did SeeTec do security right?

John Honovich

IPVM | 11/11/15 08:43am

Genetec released 2 knowledge base articles related to this topic:

  • KBA01403 - Deactivating Basic authentication for the HTTP and RTSP protocol
    This article explains how to deactivate basic authentication for the HTTP and RTSP protocols to prevent Address Resolution Protocol (ARP) spoofing attacks between the Archiver and a camera.

  • KBA01404 - Reactivating Basic authentication for HTTPS communication
    This article explains how to reactivate basic authentication when an HTTPS connection type is being used for a camera.

Ryan Twitchell

11/11/15 06:13pm

Easy to read breakdown on these types of attacks: https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack

I actually want play the devil's advocate for basic authentication as I see it getting some bad press.

TL;DR: if you have an encrypted connection (including HTTPS) or otherwise can prevent interception of your HTTP streams, basic authentication can be a good thing. If you are using only HTTP and are sending data through hostile territory, then digest authentication may be the way to go.

This is as far as HTTP server security is concerned (and every IP camera is basically a little HTTP server) and may not be applicable in all contexts:

Digest authentication has a minor problem. Due to how digest authentication works, it typically requires the server to store your password on disk in order to authenticate you. Basic authentication, however, allows the server to keep only a hash (a "fingerprint") of the password. Storing only the hash makes it more difficult for anyone accessing the server (or camera) to discover your password. But servers that store the whole password (like any time digest auth is used) make this data available to anyone who gains access to the server. Since passwords get reused a lot, this kind of breach can have a bigger impact.

Yes, basic auth sends your password over the wire. Any kind of connection can involve sensitive information, and technologies like HTTPS and TLS are designed to protect this information when used properly, and when kept up to date with known vulnerabilities.

I cannot find an easily digestible reference to support this right now (no pun intended), but anyone interested should be able to confirm this with a little research.

Undisclosed #2

IPVMU Certified | In reply to Ryan Twitchell | 11/11/15 06:42pm

But servers that store the whole password (like any time digest auth is used) make this data available to anyone who gains access to the server. Since passwords get reused a lot, this kind of breach can have a bigger impact.

Servers don't need to store the whole password by itself. The user, realm, password hash, HA1, can stored instead. That way it won't be useful outside of the realm.

Ryan Twitchell

11/16/15 01:48pm

I was writing based on some old memories, but a quick read of the RFC shows that you are correct for some cases. My goal in posting previously was not to argue against digest authentication only to raise awareness that basic authentication is not always to be shunned.

I would not argue this point further, except to mention that digest auth depends specifically on the MD5 algorithm. I do not believe storing a password based on its MD5 digest is considered safe in recent years, due to advances in collision attacks against MD5 specifically. Not depending on HTTP digest authentication, a server could store passwords with any hash algorithm (such as bcrypt) and be able to use basic auth.

Undisclosed #2

IPVMU Certified | In reply to Ryan Twitchell | 11/16/15 08:00pm

I would not argue this point further, except to mention that digest auth depends specifically on the MD5 algorithm. I do not believe storing a password based on its MD5 digest is considered safe in recent years, due to advances in collision attacks against MD5 specifically.

I would not defend this point further except to mention that RTSP digest authentication does not depend on collision resistance:

In 2011 an informational RFC 6151[11] was approved to update the security considerations in MD5 and HMAC-MD5. For HMAC-MD5 the RFC summarizes that - although the security of the MD5 hash function itself is severely compromised - the currently known " attacks on HMAC-MD5 do not seem to indicate a practical vulnerability when used as a message authentication code." -Wiki

John Honovich

IPVM | 11/17/15 12:52pm

Note: Milestone confirms they are aware of this issue, we are awaiting a response. One would hope they would respond sooner to such concerns.

Login to read this IPVM report.

Related Reports

Video Analytics 101 on Mar 16, 2020
This guide teaches the fundamentals of video surveillance...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Dynamic vs Static IP Addresses Tutorial on Apr 16, 2020
While many cameras default to DHCP out of the box, that does not mean you...
"He Is An Idiot!" Exclaims SIA Director John Mack on Mar 23, 2020
Here is another inside look into the "leaders" of the security industry. SIA...
Camio Presents Coronavirus Social Distancing Analytics on Apr 20, 2020
Camio presented its social distancing analytics for responding to coronavirus...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Last Chance - Spring 2020 IP Networking Course - Register Now on May 06, 2020
This is the last chance to register for the only networking course designed...
Every VMS Will Become a VSaaS on Feb 21, 2020
VMS is ending. Soon every VMS will be a VSaaS. Competitive dynamics will be...
YCombinator AI Startup Visual One Tested on Apr 02, 2020
Startup Visual One, backed by Silicon Valley's powerful Y Combinator, aims to...
USA's Feevr Thermal Temperature System Examined on Mar 31, 2020
This US company has burst on to the scene, brashly naming itself 'feevr' and...
FLIR A Series Temperature Screening Cameras Tested on Jun 04, 2020
FLIR is one of the biggest names in thermal and one of the most conservative....
ProCam Low-Cost Open Thermal Temperature Project on May 12, 2020
An engineering professor in Switzerland is building what he hopes will be the...
Fever Camera Sales From Integrators Surveyed on Jun 01, 2020
Fever cameras are the hottest trend in video surveillance currently but how...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...