|Advisory Summary||Authentication credentials are printed in clear in the device logs, after their first provisioning. The device serial number can be changed by pushing the configuration with Command Enterprise mass management or using a reserved API.|
|Products or Components||VA Series 1.1.1
ME6 Series 1.1.4
SE2 ATM Camera 1.1.1
SE2 Fleet Wedge Camera 1.1.1
SE2 Fleet Dash Camera 1.1.1
SE2 Flush and Pendant PTZs 30X 1.0.9
ME3 Pendant IR PTZ 40X 1.0.9
SE4 IR DuraBullet 1.0.10
|Addressed in Release||VA Series 1.1.2
ME6 Series 1.1.5
SE2 ATM Camera 1.1.2
SE2 Fleet Wedge Camera 1.1.2
SE2 Fleet Dash Camera 1.1.2
SE2 Flush and Pendant PTZs 30X 1.0.10
ME3 Pendant IR PTZ 40X 1.0.10
SE4 IR DuraBullet 1.0.11
The high severity issue is related to printing the access credentials in clear in the device logs, after their first provisioning. This operation is mandatory to provision authentication credentials in a device, and the issue is that the log file may be exported, disclosing them.
In addition to this, the device serial number can be changed by pushing the configuration with Command Enterprise mass management or using a reserved API. This is a low severity issue from a security perspective since the device maintains its network identity and continue to operate correctly (even with mass management operations). That said, the upgrade was deemed mandatory to be able to continue in providing support for these devices, since the serial number is needed to process support request.
The camera authentication credentials provisioned in the device will be present in the logs. The serial number may be changed by pushing the configuration with mass management or using a reserved API.
Change the authentication credential after their initial provisioning, avoid performing configuration changes with Command Enterprise mass management or using a reserved API.
Download and deploy the firmware versions that provide the fix if your version is affected.
Camera firmware for all affected cameras can be found here: https://www.marchnetworks.com/software-downloads/
March Networks would like to acknowledge CC-Teknologies for reporting this vulnerability.
Dec 16, 2021 – Public report
March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and that the system has been deployed and configured, in accordance to March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes, for our supported products, if and when a high security vulnerability is determined to affect March Networks products.