Vulnerabilities in Mirasys VMS video management solution
Vulnerability13/2019
Three different vulnerabilities has been discovered in Mirasys VMS systems. An attacker abusing these vulnerabilities might obtain confidential information or execute malicious code in the target system. Mirasys has released new version of the VMS software that fix the vulnerabilities.
Mirasys is a fully open and manufacturer independent video management solution that integrates with cameras, other devices, and systems from third party suppliers and other manufacturers. Please contact the vendor for more information about the update process.
The vulnerabilities were discovered by Joachim Kerschbaumer, an independent security researcher from Austria. NCSC-FI would like to thank the researcher and the vendor for participating in the coordination.
Target
- Embedded systems
- Servers and server applications
Attack vector
- Remote
- No authentication required
Impact
- Execution of arbitrary commands
- Obtaining of confidential information
Exploit seen live
- Proof of concept
Remediation
- Software update patch
Subject of vulnerability
- Mirasys VMS - V8.3.1 and earlier versions, V7.6.0 and earlier versions.
What is it about?
- Please contact the vendor for more information about the update process.
- Mirasys VMS V8.3.2 resolves two of the three reported vulnerabilities
- Mirasys VMS V8.3.3 resolves the three reported vulnerabilities
- Mirasys VMS V7.6.1 resolves the three reported vulnerabilities.
What can I do?
https://mirasys.com/ (External link)
CVE-2019-11029 (External link)
CVE-2019-11030 (External link)
CVE-2019-11031 (External link)
Contact NCSC-FI Vulnerability coordination at vulncoord@ncsc.fi. Please mention [FICORA #1086008] in email topic.
More information about NCSC-FI: https://www.ncsc.fi (External link)
Added details regarding updated versions.