|Advisory Summary||An authorized Command Enterprise user could forge a control message over the Command API to modify resource visibility outside of approved access.|
|Products or Components||Command Enterprise|
|Addressed in Release||2.16.0|
Command Enterprise was found to be vulnerable to an exploit where an authorized user could forge a control message over the Command API to modify resource visibility outside of approved access.
A malicious user, without access to certain resources in the topology, may exploit this vulnerability to add, modify or delete resources that are seen by other users. This may lead to an escalation of resource privileges managed by Command Enterprise (including video channels, alarms and switches).
Upgrade Command Enterprise to the latest software, Command Enterprise Suite 2.16.0, which corrects this vulnerability.
March Networks would like to acknowledge Siemens Mobility GmbH for reporting this vulnerability.
Feb. 3, 2023 – Initial public report
March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and that the system has been deployed and configured, in accordance to March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes, for our supported products, if and when a high security vulnerability is determined to affect March Networks products.