Claimed Security Vulnerability in Axis, Aimetis and Milestone VMSes

By: John Honovich, Published on Nov 09, 2015

A Swedish research firm has claimed to discover a 'critical vulnerability' in major VMS software platforms including Axis (ACS), Aimetis and Milestone.

* ******* ******** **** has ******* ** ******** a '******** *************' ** major *** ******** ********* including **** (***), ******* and *********.

[***************]

*** ****,***** ********, ****** * notice, ********* ** **** and ******** ** ********** color.

*** ******* ** *** VMSes **** ******* ** cameras ** *****, ***** we ******* ** **** infrequently ****. ***** **** do *** *** ***** would ** ******* ** this **** **********.

**** ***** *******, * video ************ **** ***** rightfully ****** **** ****** credentials ***** *** ** accessed / ***********. *******, Total ******** ****** **** these ***** *** *********** be *******,******:

"**** *** ************ ** diverting *** ******* ******* the ******* *** *** VMS ***** ***** ** perform ** **** ************** downgrade ****** ** *** the *** ** ******* credentials *** **** ***** authentication ******* ** **** Digest **************.

**** *** ******** ******* the *** ****** ** to ********* *** ************** protocol *** **** *** validate **** * *********** is ** *** **** using *****."

***** ******** **** **** believe ***** *** ******* might ** *********** ** this *** **** *** working ** ****** ****.

[******: ******* ******* * fix *** **** *******, noted ** ****** ** the ******** *****.]

******* ** *** **** is ********, ***** ************* very *** *** ***** with ***** ******, **** hack ** *** * widespread ******* (****** *** using ***** *** **** well ** * ******* in ******). 

*** ** *** ******* recently *** * **** showing **** *** ***** ******* ***** ** ********* Rtsp/Rtp ****** ***** ***** ** ******** ***** defend ******* ****. *******, Total ******** *******, ********** that ********* "**** *** ******** **** the ****** ** ** connecting ** ** * camera ****** ****** ** authenticate."

******* **** ** ***** is ****** *** ********* capabilities ** ******.

Comments (18)

Comes down to design, You shouldn't be designing it in such a way you aren't using A VPN over the internet, A vlan internally or your own security lan.

This exploit assumes there is access to the (V)LAN.

That's one of the issues with these issues, to be exploited there is a narrow avenue to do so. Even if it could be done, since it needs to be done physically in a very specific spot, the probability of it being used is quite low.

IMHO, these are the perfect type of vulnerabilities to be found. Bad enough sounding to force the vendors into hopefully fixing them, but infeasible to use by most.

And since none of the platforms likely support certificate pinning, they are essentially susceptible to a MITM attack as well ( if you can get physical access to the VLAN and/or network there are lots of ways to intercept encrypted traffic that is not fully secured).

The predicated assumption with that statement is that:

- They have access to your encrypted tunnel

- The tunnel is generally accessible over the internet

Both statements being false ensures that no access can occur if this is a closed network (even over VPN). If an airgap is used in design - premise network is isolated from access via a physical (not virtual or software based) firewall on different (non-routed) networks, then there is no potential for exposure unless from within.

Good design precedes secure networks - without it you shouldn't expect that any system you have in operation that operates over HTTPS will be secure.

...without it you shouldn't expect that any system you have in operation that operates over HTTPS will be secure.

Though even if someone is directly on your LAN, as is predicated in this exploit, an HTTPS connection should be secure, no?

Some cameras allow you to require digest authentication, as opposed to allowing digest/basic to both be available. I think the trick, is that the VMS needs to have a setting to require SSL or digest authentication, and to fail the connectin otherwise - so it couldn't then back down to basic authentication.

Using 802.1x and IP filtering can require a certificate for the device to allow it on to the network and then who it talks to. This could then ensure a 3rd party isn't inserted into the conversation...

I think the trick, is that the VMS needs to have a setting to require SSL or digest authentication, and to fail the connectin otherwise - so it couldn't then back down to basic authentication.

Maybe even once successfully connected via digest, always insist on digest. Not all cameras support digest (even now!), but there is no good reason I'm aware of that once you know it's capable, to downgrade it.

There are a couple different favors of digest auth out there, so even if a camera supports it, it's not guaranteed the VMS can use it. But once they have, for a given MAC, why go back?

I’m the Product Manager for Aimetis Symphony VMS.

While the security vulnerability described is primarily a network issue and requires access to the LAN on which the VMS and cameras are operating, Aimetis’ latest Device Pack (DP-35), released last week, addresses this issue. Aimetis DP-35 and the accompanying Release Notes are available free for download for all of our distributors and resellers. This free update prevents potential attacks described above by disallowing the HTTP authentication downgrade.

Aimetis takes all potential security issues seriously and deals with these matters in a proactive and transparent nature. In addition to providing free software fixes, Aimetis issues Security Advisories on its website that provide instructions for issue resolution along with technical support details. We also immediately notify all Aimetis certified distributors and resellers globally about the Security Advisory regardless of how remote the risk may be.

Justin, thanks. I've updated the post noting that.

This is a good oppurtunity for ONSSI Occularis 5.0 to shine over Milestone!

Did SeeTec do security right?

Genetec released 2 knowledge base articles related to this topic:

  • KBA01403 - Deactivating Basic authentication for the HTTP and RTSP protocol
    This article explains how to deactivate basic authentication for the HTTP and RTSP protocols to prevent Address Resolution Protocol (ARP) spoofing attacks between the Archiver and a camera.
  • KBA01404 - Reactivating Basic authentication for HTTPS communication
    This article explains how to reactivate basic authentication when an HTTPS connection type is being used for a camera.

Easy to read breakdown on these types of attacks: https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack

I actually want play the devil's advocate for basic authentication as I see it getting some bad press.

TL;DR: if you have an encrypted connection (including HTTPS) or otherwise can prevent interception of your HTTP streams, basic authentication can be a good thing. If you are using only HTTP and are sending data through hostile territory, then digest authentication may be the way to go.

This is as far as HTTP server security is concerned (and every IP camera is basically a little HTTP server) and may not be applicable in all contexts:

Digest authentication has a minor problem. Due to how digest authentication works, it typically requires the server to store your password on disk in order to authenticate you. Basic authentication, however, allows the server to keep only a hash (a "fingerprint") of the password. Storing only the hash makes it more difficult for anyone accessing the server (or camera) to discover your password. But servers that store the whole password (like any time digest auth is used) make this data available to anyone who gains access to the server. Since passwords get reused a lot, this kind of breach can have a bigger impact.

Yes, basic auth sends your password over the wire. Any kind of connection can involve sensitive information, and technologies like HTTPS and TLS are designed to protect this information when used properly, and when kept up to date with known vulnerabilities.

I cannot find an easily digestible reference to support this right now (no pun intended), but anyone interested should be able to confirm this with a little research.

But servers that store the whole password (like any time digest auth is used) make this data available to anyone who gains access to the server. Since passwords get reused a lot, this kind of breach can have a bigger impact.

Servers don't need to store the whole password by itself. The user, realm, password hash, HA1, can stored instead. That way it won't be useful outside of the realm.

I was writing based on some old memories, but a quick read of the RFC shows that you are correct for some cases. My goal in posting previously was not to argue against digest authentication only to raise awareness that basic authentication is not always to be shunned.

I would not argue this point further, except to mention that digest auth depends specifically on the MD5 algorithm. I do not believe storing a password based on its MD5 digest is considered safe in recent years, due to advances in collision attacks against MD5 specifically. Not depending on HTTP digest authentication, a server could store passwords with any hash algorithm (such as bcrypt) and be able to use basic auth.

I would not argue this point further, except to mention that digest auth depends specifically on the MD5 algorithm. I do not believe storing a password based on its MD5 digest is considered safe in recent years, due to advances in collision attacks against MD5 specifically.

I would not defend this point further except to mention that RTSP digest authentication does not depend on collision resistance:

In 2011 an informational RFC 6151[11] was approved to update the security considerations in MD5 and HMAC-MD5. For HMAC-MD5 the RFC summarizes that - although the security of the MD5 hash function itself is severely compromised - the currently known " attacks on HMAC-MD5 do not seem to indicate a practical vulnerability when used as a message authentication code." -Wiki

Note: Milestone confirms they are aware of this issue, we are awaiting a response. One would hope they would respond sooner to such concerns.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on VMS

Axis ~$150 Outdoor Camera Tested on May 21, 2019
Axis has released the latest in their Companion camera line, the outdoor Companion Dome Mini LE, a 1080p integrated IR model aiming to compete with...
Panasonic 32MP Multi Imager Camera Tested (WV-X8570N) on May 16, 2019
Panasonic has released their first multi imager models including the 32MP (4x4K) WV-X8570N, claiming "Extreme image quality for evidence capturing...
Bank Security Manager Interview on May 15, 2019
Bank security contends with many significant threats - from fraudsters to robbers and more. In this interview, IPVM spoke with bank security...
Milestone XProtect 2019 R1 Tested on May 15, 2019
For the past few years, Milestone has released quarterly software updates XProtect VMS platform. What is new and how much impact do the updates...
Bluecherry Open Sources Entire VMS on May 13, 2019
Bluecherry announced they have "released the entire Bluecherry software application open source with a GPL license". We spoke to Bluecherry's...
Mining Company Security Manager Interview on May 10, 2019
First Quantum Minerals Limited (FQML) is a global enterprise with offices on 4 continents and operations in 7 countries with exploratory operations...
Aegis AI Gun Detection Video Analytics Startup on May 07, 2019
Gun detection analytic startups are increasing as the promise of AI and the threats of active shooters grow.  One company, Aegis AI, is being led...
Restaurant Security Manager Interview on May 06, 2019
Wright’s Gourmet House in Tampa, Florida has been around for over 50 years. During most of that time, there were no security measures in place. Now...
Ranking Manufacturer Favorability 2019 on May 06, 2019
24 manufacturer's favorability was ranked based on 170+ integrators feedback. Voting plus in-depth comments revealed insights on which brands were...
Verkada Cloud VMS/Cameras Tested on May 02, 2019
Verkada is arguably the most ambitious video surveillance startup in many years. The company is developing their own cameras, their own VMS, their...

Most Recent Industry Reports

NJ Law Requires Apprenticeship For Public Works Integrators on May 24, 2019
Few integrators do a formal apprenticeship program. However, now a NJ law is requiring any integrator on public works projects (such as state...
Security / Privacy Journalist Sam Pfeifle Interview on May 24, 2019
Sam Pfeifle is best known as the outspoken former Editor of Security Systems News. After that, he was publications director at the International...
Verkada Video Quality Problems Tested on May 23, 2019
Verkada suffers from numerous video quality problems, not found in commercial IP cameras, new IPVM testing of Verkada vs Axis and Hikvision...
Average Frame Rate Video Surveillance 2019 on May 23, 2019
What is the average frame rated used in video surveillance systems? In IPVM's 2011 statistics, the average was 6-8fps increasing to ~10fps in...
Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
ASCMA / Monitronics Declares Chapter 11 Bankruptcy Plan on May 22, 2019
Monitronics is entering into Chapter 11 bankruptcy. The company, also called Ascent Capital Group Inc., aka ASCMA, aka Brinks Home Security,...
US Considers Sanctions Against Hikvision and Dahua on May 22, 2019
The US government is considering blacklisting "up to 5" PRC surveillance firms, including Hikvision and Dahua, Bloomberg reported, with human...
Dahua USA Celebrates 5 Years of Errors on May 21, 2019
Dahua USA is, in their own words, 'celebrating' 5 years in North America or as trade magazine SSN declared: Dahua Technology finds success in...
Axis ~$150 Outdoor Camera Tested on May 21, 2019
Axis has released the latest in their Companion camera line, the outdoor Companion Dome Mini LE, a 1080p integrated IR model aiming to compete with...
Covert Facial Recognition Using Axis and Amazon By NYTimes on May 20, 2019
What if you took a 33MP Axis camera covering one of the busiest parks in the US and ran Amazon Facial Recognition against it? That is what the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact