Dedicated Micros DVR products use plaintext protocols and require no password by default

Overview

Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password.

Description

CWE-311: Missing Encryption of Sensitive Data

Dedicated Micros DVR products by default use HTTP, telnet, and FTP rather than secure alternatives, making it the responsibility of the end user to configure a device securely. Sensitive data may be viewed or modified in transit by unauthorized attackers.

CWE-284: Improper Access Control - CVE-2015-2909

Dedicated Micros DVR products by default do not require authentication. End users may password-protect their devices but are not required to do so, resulting in devices that are open to unauthorized access and tampering.

---

Impact

A remote, unauthenticated attacker can view and manipulate sensitive data and take complete control of an unsecured device.

---

Solution

The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workarounds.

---

Enable secure communications protocols

According to the vendor, “users can enable secure protocols such as HTTPS and SSH, and HTTP POST Upload over HTTPS if they wish.”

Users are encouraged to contact the vendor for guidance in setting up secure protocols.

Use password protection

According to the vendor:

The system by default has no authentication on the HTTP, Telnet and FTP interfaces. Dedicated Micros do not provide a default username and password as these are not secure and instead advise users to set their own.The user is presented with clear warnings on the GUI that they should set usernames and passwords.

Users are encouraged to refer to individual device documentation or to contact the vendor for guidance in setting up authentication.

Enable security by default

Vendors should provide systems that are reasonably secure by default rather than dependent on end user configuration choices. Shodan results show that some Dedicated Micros devices are openly accessible on the Internet with no authentication. While it may be reasonable to argue that secure configuration options exist and that default passwords are insecure, more secure alternatives exist:

* Enable secure protocols by default, or at least prompt users to enable them when external access is configured.
* Implement unique default passwords, even if based on something deterministic like the MAC address.
* Require users to change the password at setup.  

---

Vendor Information

276148

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Dedicated Micros __ Affected

Notified: May 21, 2015 Updated: August 17, 2015

Statement Date: July 03, 2015

Status

Affected

Vendor Statement

Vulnerability Note [VU#276148]

Headline:
Dedicated Micros DVR users are advised to enable built-in firewall and to set passwords.

Overview:

The system by default has no authentication on the HTTP, Telnet and FTP interfaces. The built-in firewall has to be enabled. The user has a choice as to whether they use secure protocols such as HTTPS and SSH.

Description:
The system by default has no authentication on the HTTP, Telnet and FTP interfaces. Dedicated Micros do not provide a default username and password as these are not secure and instead advise users to set their own.The user is presented with clear warnings on the GUI that they should set usernames and passwords.

Impact:
Some users do not follow best practice and do not set up passwords, this can make their units vulnerable if the user has also not enabled the built-in firewall or set the unit up behind a hardware firewall.Dedicated Micros systems are built using an embedded operating system which by nature is not capable of being used for man in the middle attacks.

Solution:
Users are advised to enable the built-in firewall and set their user name and passwords. Users can enable secure protocols such as HTTPS and SSH, and HTTP POST Upload over HTTPS if they wish.Dedicated Micros products also feature an extra layer of security management which is enabled through the use of their Closed IPTV products.

Security features include:

Authentication between DVR and end point device (encoder or IP camera).

Warnings/alerts if end point breached.

Secure lock down by MAC and port Built-in firewall

Automatic VLAN creation

Segregated private IP address network for IP cameras

Trusted Endpoint Signature Verification of the video stream.

An article has been written on the DM knowledge base <https://kbase.dedicatedmicros.com/entry/108&gt; describing the Password Policies for NetVu Connected Products.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://kbase.dedicatedmicros.com/entry/108&gt;

Addendum

Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 are affected.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23276148 Feedback>).

CVSS Metrics

Group	Score	Vector
Base	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	8.5	E:POC/RL:W/RC:C
Environmental	6.4	CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

• <http://www.dedicatedmicros.com/europe/products_group.php?product_group_id=1&gt;
• <http://cybergibbons.com/security-2/shodan-searches/interesting-shodan-searches-sd-advanced-dvrs/&gt;
• <https://www.shodan.io/search?query=command+line+processor+-username&gt;
• <http://cwe.mitre.org/data/definitions/284.html&gt;
• <http://cwe.mitre.org/data/definitions/311.html&gt;

Acknowledgements

Thanks to Andrew Tierney for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2015-2909
Date Public:	2015-08-20 Date First Published: