Vulnerabilities in Mirasys VMS video management solution | Traficom
Skip to main content
National Cyber Security Center
Report incidents
Report incidents
Report incidents

Vulnerabilities in Mirasys VMS video management solution

June 28, 2019 at 11:00, updated July 11, 2019 at 14:44

Three different vulnerabilities has been discovered in Mirasys VMS systems. An attacker abusing these vulnerabilities might obtain confidential information or execute malicious code in the target system. Mirasys has released new version of the VMS software that fix the vulnerabilities.

Mirasys is a fully open and manufacturer independent video management solution that integrates with cameras, other devices, and systems from third party suppliers and other manufacturers. Please contact the vendor for more information about the update process.

The vulnerabilities were discovered by Joachim Kerschbaumer, an independent security researcher from Austria. NCSC-FI would like to thank the researcher and the vendor for participating in the coordination.
 

Target of vulnerability

  • Mirasys VMS - V8.3.1 and earlier versions, V7.6.0 and earlier versions.

What is this about?

  • Please contact the vendor for more information about the update process.
    • Mirasys VMS V8.3.2 resolves two of the three reported vulnerabilities
    • Mirasys VMS V8.3.3 resolves the three reported vulnerabilities
    • Mirasys VMS V7.6.1 resolves the three reported vulnerabilities.

What can I do?

https://mirasys.com/

CVE-2019-11029
CVE-2019-11030
CVE-2019-11031

Contact NCSC-FI Vulnerability coordination at vulncoord@ncsc.fi. Please mention [FICORA #1086008] in email topic. 
More information about NCSC-FI: https://www.ncsc.fi

 

Embedded systems

An embedded system consists of a device and its software. Relatively many of the devices used by consumers can be considered as embedded systems. An example of such systems is a digital set-top box which is necessary for viewing digital TV broadcasts.

Servers and server applications

Vulnerabilities in servers and server software concern providers of electronic services, among others. Typical targets are operating systems of servers, as well as web or e-mail server software, such as SunOS, Linux, Apache, IIS or Sendmail.

Remote

A remotely performed attack can be implemented via an information network connection or similar without accessing the targeted system.

No authentication required

The attack does not require logging into the system subject to attack. As an opposite are such attacks that require the use of a user name and password and, for example, execution of commands when logged into the system.

Execution of arbitrary commands

A vulnerability that enables the execution of arbitrary commands must be considered serious because it means that the person utilising the vulnerability can use the targeted system just like an ordinary user of the system. It can also lead to that the attacker who has hacked into the system can via a network upload and execute own software in the system.

Obtaining of confidential information

Obtaining confidential information from the target system requires that the information content of the system, e.g. files saved on the hard disk, is accessible without a permission and can be forwarded.

Proof of concept

Software update patch

Normally, hardware or software manufacturers publish a new version or a partial update for a software or operating system soon after the vulnerability has become public. The update can be available at the same time as the vulnerability is published, but often the users have to wait for the update.

July 11, 2019 at 14:44 Added details regarding updated versions.