{"vuid":"VU#276148","idnumber":"276148","name":"Dedicated Micros DVR products use plaintext protocols and require no password by default","keywords":["dedicated micros","dvr","cwe-311","cwe-284"],"overview":"Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password.","clean_desc":"CWE-311: Missing Encryption of Sensitive Data Dedicated Micros DVR products by default use HTTP, telnet, and FTP rather than secure alternatives, making it the responsibility of the end user to configure a device securely. Sensitive data may be viewed or modified in transit by unauthorized attackers. CWE-284: Improper Access Control - CVE-2015-2909 Dedicated Micros DVR products by default do not require authentication. End users may password-protect their devices but are not required to do so, resulting in devices that are open to unauthorized access and tampering.","impact":"A remote, unauthenticated attacker can view and manipulate sensitive data and take complete control of an unsecured device.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workarounds.","workarounds":"Enable secure communications protocols According to the vendor, \"users can enable secure protocols such as HTTPS and SSH, and HTTP POST Upload over HTTPS if they wish.\" Users are encouraged to contact the vendor for guidance in setting up secure protocols. Use password protection According to the vendor: The system by default has no authentication on the HTTP, Telnet and FTP interfaces. Dedicated Micros do not provide a default username and password as these are not secure and instead advise users to set their own.The user is presented with clear warnings on the GUI that they should set usernames and passwords. Users are encouraged to refer to individual device documentation or to contact the vendor for guidance in setting up authentication. Enable security by default Vendors should provide systems that are reasonably secure by default rather than dependent on end user configuration choices. Shodan results show that some Dedicated Micros devices are openly accessible on the Internet with no authentication. While it may be reasonable to argue that secure configuration options exist and that default passwords are insecure, more secure alternatives exist: Enable secure protocols by default, or at least prompt users to enable them when external access is configured. Implement unique default passwords, even if based on something deterministic like the MAC address. Require users to change the password at setup.","sysaffected":"","thanks":"Thanks to Andrew Tierney for reporting this vulnerability.","author":"This document was written by Joel Land.","public":["http://www.dedicatedmicros.com/europe/products_group.php?product_group_id=1","http://cybergibbons.com/security-2/shodan-searches/interesting-shodan-searches-sd-advanced-dvrs/","https://www.shodan.io/search?query=command+line+processor+-username","http://cwe.mitre.org/data/definitions/284.html","http://cwe.mitre.org/data/definitions/311.html"],"cveids":["CVE-2015-2909"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2015-05-20T12:22:53Z","publicdate":"2015-08-20T00:00:00Z","datefirstpublished":"2015-08-20T14:30:24Z","dateupdated":"2015-08-20T14:30:25Z","revision":22,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"N","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"8.5","cvss_environmentalscore":"6.4089697392","cvss_environmentalvector":"CDP:N/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}