Vulnerabilities in Mirasys VMS video management solution

Vulnerability13/2019

Three different vulnerabilities has been discovered in Mirasys VMS systems. An attacker abusing these vulnerabilities might obtain confidential information or execute malicious code in the target system. Mirasys has released new version of the VMS software that fix the vulnerabilities.

Mirasys is a fully open and manufacturer independent video management solution that integrates with cameras, other devices, and systems from third party suppliers and other manufacturers. Please contact the vendor for more information about the update process.

The vulnerabilities were discovered by Joachim Kerschbaumer, an independent security researcher from Austria. NCSC-FI would like to thank the researcher and the vendor for participating in the coordination.

Target

  • Embedded systems
  • Servers and server applications

Attack vector

  • Remote
  • No authentication required

Impact

  • Execution of arbitrary commands
  • Obtaining of confidential information

Exploit seen live

  • Proof of concept

Remediation

  • Software update patch

Vulnerable software

  • Mirasys VMS - V8.3.1 and earlier versions, V7.6.0 and earlier versions.

Possible solutions

  • Please contact the vendor for more information about the update process.
    • Mirasys VMS V8.3.2 resolves two of the three reported vulnerabilities
    • Mirasys VMS V8.3.3 resolves the three reported vulnerabilities
    • Mirasys VMS V7.6.1 resolves the three reported vulnerabilities.

Additional information

https://mirasys.com/ (External link)

CVE-2019-11029 (External link)
CVE-2019-11030 (External link)
CVE-2019-11031 (External link)

Contact NCSC-FI Vulnerability coordination at vulncoord@ncsc.fi. Please mention [FICORA #1086008] in email topic. 
More information about NCSC-FI: https://www.ncsc.fi (External link)

 

Added details regarding updated versions.