Skip to main content

An authorized Command Enterprise user could forge a control message over the Command API to modify resource visibility outside of approved access.

CVE N/A
Advisory Summary An authorized Command Enterprise user could forge a control message over the Command API to modify resource visibility outside of approved access.
Products or Components Command Enterprise
Addressed in Release 2.16.0
Severity High
Ticket SV-80

Description

Command Enterprise was found to be vulnerable to an exploit where an authorized user could forge a control message over the Command API to modify resource visibility outside of approved access.

Impact

A malicious user, without access to certain resources in the topology, may exploit this vulnerability to add, modify or delete resources that are seen by other users. This may lead to an escalation of resource privileges managed by Command Enterprise (including video channels, alarms and switches).

Solution

Upgrade Command Enterprise to the latest software, Command Enterprise Suite 2.16.0, which corrects this vulnerability.

Downloads

Visit our Partner Portal to download Command Enterprise Suite 2.16.0.

Credits

March Networks would like to acknowledge Siemens Mobility GmbH for reporting this vulnerability.

Revision

Feb. 3, 2023 – Initial public report

Disclaimer

March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and that the system has been deployed and configured, in accordance to March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes, for our supported products, if and when a high security vulnerability is determined to affect March Networks products.

Sign up for our newsletter here Get the latest news and information on our IP video products with March Networks News. Subscribe now
Return to top