CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.7%
Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password.
CWE-311: Missing Encryption of Sensitive Data
Dedicated Micros DVR products by default use HTTP, telnet, and FTP rather than secure alternatives, making it the responsibility of the end user to configure a device securely. Sensitive data may be viewed or modified in transit by unauthorized attackers.
CWE-284: Improper Access Control - CVE-2015-2909
Dedicated Micros DVR products by default do not require authentication. End users may password-protect their devices but are not required to do so, resulting in devices that are open to unauthorized access and tampering.
A remote, unauthenticated attacker can view and manipulate sensitive data and take complete control of an unsecured device.
The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workarounds.
Enable secure communications protocols
According to the vendor, “users can enable secure protocols such as HTTPS and SSH, and HTTP POST Upload over HTTPS if they wish.”
Users are encouraged to contact the vendor for guidance in setting up secure protocols.
Use password protection
According to the vendor:
The system by default has no authentication on the HTTP, Telnet and FTP interfaces. Dedicated Micros do not provide a default username and password as these are not secure and instead advise users to set their own.The user is presented with clear warnings on the GUI that they should set usernames and passwords.
Users are encouraged to refer to individual device documentation or to contact the vendor for guidance in setting up authentication.
Enable security by default
Vendors should provide systems that are reasonably secure by default rather than dependent on end user configuration choices. Shodan results show that some Dedicated Micros devices are openly accessible on the Internet with no authentication. While it may be reasonable to argue that secure configuration options exist and that default passwords are insecure, more secure alternatives exist:
* Enable secure protocols by default, or at least prompt users to enable them when external access is configured.
* Implement unique default passwords, even if based on something deterministic like the MAC address.
* Require users to change the password at setup.
276148
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: May 21, 2015 Updated: August 17, 2015
Statement Date: July 03, 2015
Affected
Vulnerability Note [VU#276148]
Headline:
Dedicated Micros DVR users are advised to enable built-in firewall and to set passwords.
Overview:
The system by default has no authentication on the HTTP, Telnet and FTP interfaces. The built-in firewall has to be enabled. The user has a choice as to whether they use secure protocols such as HTTPS and SSH.
Description:
The system by default has no authentication on the HTTP, Telnet and FTP interfaces. Dedicated Micros do not provide a default username and password as these are not secure and instead advise users to set their own.The user is presented with clear warnings on the GUI that they should set usernames and passwords.
Impact:
Some users do not follow best practice and do not set up passwords, this can make their units vulnerable if the user has also not enabled the built-in firewall or set the unit up behind a hardware firewall.Dedicated Micros systems are built using an embedded operating system which by nature is not capable of being used for man in the middle attacks.
Solution:
Users are advised to enable the built-in firewall and set their user name and passwords. Users can enable secure protocols such as HTTPS and SSH, and HTTP POST Upload over HTTPS if they wish.Dedicated Micros products also feature an extra layer of security management which is enabled through the use of their Closed IPTV products.
Security features include:
Authentication between DVR and end point device (encoder or IP camera).
Warnings/alerts if end point breached.
Secure lock down by MAC and port Built-in firewall
Automatic VLAN creation
Segregated private IP address network for IP cameras
Trusted Endpoint Signature Verification of the video stream.
An article has been written on the DM knowledge base <https://kbase.dedicatedmicros.com/entry/108> describing the Password Policies for NetVu Connected Products.
We are not aware of further vendor information regarding this vulnerability.
Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 are affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23276148 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 8.5 | E:POC/RL:W/RC:C |
Environmental | 6.4 | CDP:N/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Andrew Tierney for reporting this vulnerability.
This document was written by Joel Land.
CVE IDs: | CVE-2015-2909 |
---|---|
Date Public: | 2015-08-20 Date First Published: |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.7%