Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password.
CWE-311: Missing Encryption of Sensitive Data
Dedicated Micros DVR products by default use HTTP, telnet, and FTP rather than secure alternatives, making it the responsibility of the end user to configure a device securely. Sensitive data may be viewed or modified in transit by unauthorized attackers.
A remote, unauthenticated attacker can view and manipulate sensitive data and take complete control of an unsecured device.
The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workarounds.
Enable secure communications protocols
Thanks to Andrew Tierney for reporting this vulnerability.
This document was written by Joel Land.
|Date First Published:||2015-08-20|
|Date Last Updated:||2015-08-20 14:30 UTC|