Skip to main content
CVE N/A
Advisory Summary Some versions of Admin Console allow basic authentications over HTTP connections towards Command Enterprise
Products or Components Admin Console version 5.17, 5.19, 5.20 (including all service packs prior to versions with the fix)
Addressed in Release The fix was released in 5.17 SP3, 5.19 SP3, 5.20 SP2. Versions below 5.17 and above 5.20 are not affected.
Severity High
Ticket SV-31

Description

When Admin Console is configured to connect to Command Enterprise Software, the authentications may happen over HTTP, even if an HTTPS port was configured. This may lead to a disclosure of Command Enterprise Software access credentials.

Impact

If Admin Console is used in an untrusted network, Command Enterprise Software access credentials may be disclosed.

Mitigations

Ensure to add “:” and the Command Enterprise Software HTTPS port after the Command Enterprise Software address in the Admin Console configuration. Don’t use Admin Console to establish a connection to cameras, using the recorder proxy.

Solution

Download and deploy the Admin Console versions that provide the fix, if your version is affected.

Downloads

The latest Admin Console releases are available on the March Networks Partner Portal here: https://partners.marchnetworks.com/resource-center/?q=&tags=W1siNzBjMDFiNzQtMzAyOC1lNjExLWJkZjgtMDYxYWY1NjI4OWE1Il1d

Credits

March Networks would like to acknowledge CC-Teknologies for reporting this vulnerability.

Revision

Oct 12, 2021 – Initial public report

Disclaimer

March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and that the system has been deployed and configured, in accordance to March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes, for our supported products, if and when a high security vulnerability is determined to affect March Networks products.

Sign up for our newsletter here Get the latest news and information on our IP video products with March Networks News. Subscribe now
Return to top