Dedicated Micros Affected

Notified:  May 21, 2015 Updated: August 17, 2015

Statement Date:   July 03, 2015

Status

Affected

Vendor Statement

Vulnerability Note [VU#276148] Headline: Dedicated Micros DVR users are advised to enable built-in firewall and to set passwords. Overview: The system by default has no authentication on the HTTP, Telnet and FTP interfaces. The built-in firewall has to be enabled. The user has a choice as to whether they use secure protocols such as HTTPS and SSH. Description: The system by default has no authentication on the HTTP, Telnet and FTP interfaces. Dedicated Micros do not provide a default username and password as these are not secure and instead advise users to set their own.The user is presented with clear warnings on the GUI that they should set usernames and passwords. Impact: Some users do not follow best practice and do not set up passwords, this can make their units vulnerable if the user has also not enabled the built-in firewall or set the unit up behind a hardware firewall.Dedicated Micros systems are built using an embedded operating system which by nature is not capable of being used for man in the middle attacks. Solution: Users are advised to enable the built-in firewall and set their user name and passwords. Users can enable secure protocols such as HTTPS and SSH, and HTTP POST Upload over HTTPS if they wish.Dedicated Micros products also feature an extra layer of security management which is enabled through the use of their Closed IPTV products. Security features include: Authentication between DVR and end point device (encoder or IP camera). Warnings/alerts if end point breached. Secure lock down by MAC and port Built-in firewall Automatic VLAN creation Segregated private IP address network for IP cameras Trusted Endpoint Signature Verification of the video stream. An article has been written on the DM knowledge base https://kbase.dedicatedmicros.com/entry/108 describing the Password Policies for NetVu Connected Products.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 are affected.