March Networks 8000, 9000 and RideSafe Series recorders (R5) allow cameras and encoders to request authentication using weak protocols (NTLMv2 and basic authentication).

Description

This issue is related to 8000, 9000 and RideSafe Series recorders (R5) allowing cameras and encoders to request authentication using weak protocols (NTLMv2 and basic authentication). This could allow a rogue edge device, in a non-trusted environment, to force a recorder to use such protocols, enabling the ability to steal cameras’ and encoders’ credentials.

Impact

By default, the recorder uses secure authentication protocols, switching to weak ones only if a configured camera or encoder asks for them.

An attacker with skills and access sufficient to replace a camera or encoder with a rogue device using the same network address, can record the authentication messages and decode them to retrieve the device authentication credentials. If the same credentials are used on multiple devices, all of them could be compromised.

This could allow for unauthorized or unintended access to video, an improper change in camera settings impacting live and recorded video, or a complete denial of service to cameras due to a password change by the attacker, which would also impact live and recorded video.

Mitigation

Protecting the camera’s network with 802.1x certificates prevents this kind of attack.

Solution

Visual Intelligence Suite software update 5.24.0.0067 added an option to forbid the recorder to use weak authentication protocols if a device is trying to enforce them for device brands that allow this. This option is not enabled by default to avoid issues with cameras or encoders allowing only weak authentication protocols if they are already configured in the field. We recommend applying this option on all device brands supporting it, and verifying any connection issues with the device.

In the event connection issues are experienced, we suggest looking in the device configuration options and/or upgrading its firmware. If the device supports only weak authentication protocols, we recommend enabling 802.1x access or consider replacing the device.

Downloads

Visit our Partner Portal to download Visual Intelligence Suite Update 5.24.0.0067.

Revision

Feb. 3, 2023– Initial public report

Disclaimer

March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and that the system has been deployed and configured, in accordance to March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes, for our supported products, if and when a high security vulnerability is determined to affect March Networks products.