Vulnerability Note VU#276148
Dedicated Micros DVR products use plaintext protocols and require no password by default
Original Release date: 20 Aug 2015 | Last revised: 20 Aug 2015

Overview
Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password.

Description
CWE-311: Missing Encryption of Sensitive Data
Dedicated Micros DVR products by default use HTTP, telnet, and FTP rather than secure alternatives, making it the responsibility of the end user to configure a device securely. Sensitive data may be viewed or modified in transit by unauthorized attackers.

CWE-284: Improper Access Control – CVE-2015-2909

Dedicated Micros DVR products by default do not require authentication. End users may password-protect their devices but are not required to do so, resulting in devices that are open to unauthorized access and tampering.

Impact
A remote, unauthenticated attacker can view and manipulate sensitive data and take complete control of an unsecured device.

Solution
The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workarounds.
Enable secure communications protocols

According to the vendor, "users can enable secure protocols such as HTTPS and SSH, and HTTP POST Upload over HTTPS if they wish."

Users are encouraged to contact the vendor for guidance in setting up secure protocols.

Use password protection

According to the vendor:

The system by default has no authentication on the HTTP, Telnet and FTP interfaces. Dedicated Micros do not provide a default username and password as these are not secure and instead advise users to set their own.The user is presented with clear warnings on the GUI that they should set usernames and passwords.

Users are encouraged to refer to individual device documentation or to contact the vendor for guidance in setting up authentication.

Enable security by default

Vendors should provide systems that are reasonably secure by default rather than dependent on end user configuration choices. Shodan results show that some Dedicated Micros devices are openly accessible on the Internet with no authentication. While it may be reasonable to argue that secure configuration options exist and that default passwords are insecure, more secure alternatives exist:

Enable secure protocols by default, or at least prompt users to enable them when external access is configured.
Implement unique default passwords, even if based on something deterministic like the MAC address.
Require users to change the password at setup.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedDedicated MicrosAffected21 May 201517 Aug 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
8.5
E:POC/RL:W/RC:C

Environmental
6.4
CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

http://www.dedicatedmicros.com/europe/products_group.php?product_group_id=1
http://cybergibbons.com/security-2/shodan-searches/interesting-shodan-searches-sd-advanced-dvrs/
https://www.shodan.io/search?query=command+line+processor+-username
http://cwe.mitre.org/data/definitions/284.html
http://cwe.mitre.org/data/definitions/311.html

Credit

Thanks to Andrew Tierney for reporting this vulnerability.
This document was written by Joel Land.

Other Information

CVE IDs:
CVE-2015-2909

Date Public:
20 Aug 2015

Date First Published:
20 Aug 2015

Date Last Updated:
20 Aug 2015

Document Revision:
22

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply