Executive Summary

Summary
Title Dedicated Micros DVR products use plaintext protocols and require no password by default
Informations
Name VU#276148 First vendor Publication 2015-08-20
Vendor VU-CERT Last vendor Modification 2015-08-20
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 9.8
Base Score 9.8 Environmental Score 9.8
impact SubScore 5.9 Temporal Score 9.8
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#276148

Dedicated Micros DVR products use plaintext protocols and require no password by default

Original Release date: 20 Aug 2015 | Last revised: 20 Aug 2015

Overview

Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password.

Description

CWE-311: Missing Encryption of Sensitive Data

Dedicated Micros DVR products by default use HTTP, telnet, and FTP rather than secure alternatives, making it the responsibility of the end user to configure a device securely. Sensitive data may be viewed or modified in transit by unauthorized attackers.

CWE-284: Improper Access Control - CVE-2015-2909

Dedicated Micros DVR products by default do not require authentication. End users may password-protect their devices but are not required to do so, resulting in devices that are open to unauthorized access and tampering.

Impact

A remote, unauthenticated attacker can view and manipulate sensitive data and take complete control of an unsecured device.

Solution

The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workarounds.

Enable secure communications protocols

According to the vendor, "users can enable secure protocols such as HTTPS and SSH, and HTTP POST Upload over HTTPS if they wish."

Users are encouraged to contact the vendor for guidance in setting up secure protocols.

Use password protection

According to the vendor:

    The system by default has no authentication on the HTTP, Telnet and FTP interfaces. Dedicated Micros do not provide a default username and password as these are not secure and instead advise users to set their own.The user is presented with clear warnings on the GUI that they should set usernames and passwords.

Users are encouraged to refer to individual device documentation or to contact the vendor for guidance in setting up authentication.

Enable security by default

Vendors should provide systems that are reasonably secure by default rather than dependent on end user configuration choices. Shodan results show that some Dedicated Micros devices are openly accessible on the Internet with no authentication. While it may be reasonable to argue that secure configuration options exist and that default passwords are insecure, more secure alternatives exist:
  • Enable secure protocols by default, or at least prompt users to enable them when external access is configured.
  • Implement unique default passwords, even if based on something deterministic like the MAC address.
  • Require users to change the password at setup.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Dedicated MicrosAffected21 May 201517 Aug 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal8.5E:POC/RL:W/RC:C
Environmental6.4CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.dedicatedmicros.com/europe/products_group.php?product_group_id=1
  • http://cybergibbons.com/security-2/shodan-searches/interesting-shodan-searches-sd-advanced-dvrs/
  • https://www.shodan.io/search?query=command+line+processor+-username
  • http://cwe.mitre.org/data/definitions/284.html
  • http://cwe.mitre.org/data/definitions/311.html

Credit

Thanks to Andrew Tierney for reporting this vulnerability.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2015-2909
  • Date Public:20 Aug 2015
  • Date First Published:20 Aug 2015
  • Date Last Updated:20 Aug 2015
  • Document Revision:22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/276148

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-269 Improper Privilege Management

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2020-05-23 13:03:47
  • Multiple Updates
2015-08-20 17:22:55
  • First insertion