Some versions of Admin Console allow basic authentications over HTTP connections towards Command Enterprise
|Advisory Summary||Some versions of Admin Console allow basic authentications over HTTP connections towards Command Enterprise|
|Products or Components||Admin Console version 5.17, 5.19, 5.20 (including all service packs prior to versions with the fix)|
|Addressed in Release||The fix was released in 5.17 SP3, 5.19 SP3, 5.20 SP2. Versions below 5.17 and above 5.20 are not affected.|
When Admin Console is configured to connect to Command Enterprise Software, the authentications may happen over HTTP, even if an HTTPS port was configured. This may lead to a disclosure of Command Enterprise Software access credentials.
If Admin Console is used in an untrusted network, Command Enterprise Software access credentials may be disclosed.
Ensure to add “:” and the Command Enterprise Software HTTPS port after the Command Enterprise Software address in the Admin Console configuration. Don’t use Admin Console to establish a connection to cameras, using the recorder proxy.
Download and deploy the Admin Console versions that provide the fix, if your version is affected.
The latest Admin Console releases are available on the March Networks Partner Portal here: https://partners.marchnetworks.com/resource-center/?q=&tags=W1siNzBjMDFiNzQtMzAyOC1lNjExLWJkZjgtMDYxYWY1NjI4OWE1Il1d
March Networks would like to acknowledge CC-Teknologies for reporting this vulnerability.
Oct 12, 2021 – Initial public report
March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and that the system has been deployed and configured, in accordance to March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes, for our supported products, if and when a high security vulnerability is determined to affect March Networks products.