User 'Cameras' with no password: do you have one?

I don't know if that update included the fix or not. The "cameras" account was still on my system after updating. I had already marked it "LAN-only", yesterday, and it remained that way after the update this morning.
 
bp2008 said:
I don't know if that update included the fix or not. The "cameras" account was still on my system after updating. I had already marked it "LAN-only", yesterday, and it remained that way after the update this morning.
Click to expand...

4.1.7.1 didn't fix the account that was added by 4.1.7.0.

I confirmed that running 4.1.7.0, and without modifying the cameras account that was added by 4.1.7.0, I was able to log into BI remotely using the username cameras and no password. I then applied the 4.1.7.1 update and tried it again. I was still able to log in with no password. I went in and edited the cameras user to be LAN only, and can no longer log in remotely with that user.
 
  • Like
Reactions: bp2008
digger11 said:
4.1.7.1 didn't fix the account that was added by 4.1.7.0.

I confirmed that running 4.1.7.0, and without modifying the cameras account that was added by 4.1.7.0, I was able to log into BI remotely using the username cameras and no password. I then applied the 4.1.7.1 update and tried it again. I was still able to log in with no password. I went in and edited the cameras user to be LAN only, and can no longer log in remotely with that user.
Click to expand...

Please read post #62.
 
More info...

I have a second BI server, this one running 4.1.4.0, and also running BI as a service. I just applied the 4.1.7.1 update, and on this server only the admin account was added.

My recommendation would be that everyone check to see if they have a cameras user, and if so, secure or remove that account. I'll also be checking the list of users before and after any future updates.
 
Indeed, BI needs to start automatically removing the no-password cameras account. If BI leaves it in, then it becomes a serious problem because most users will never know it existed.
 
  • Like
Reactions: technet
Version 4.1.7.2 available.

Updated security certificate
HTTP Live Streaming updates
Other enhancements and bug fixes
VFMMdDQ.png
 
fenderman said:
Exactly my point... Minimal impact for the reasons stated... Vulnerabilities need to be looked at in the proper context... The panic over this makes it appear much worse than it is...
There is already a new update available...
I don't think there is any software company I am aware of the updates vulnerabilities this quickly.. Let alone NVRs where firmware updates come rarely...

Sent via Taptalk
Click to expand...

Panic is good, real good, to fix problem. But you (Fenderman) gotta learn to call a spade a spade. That's a problem. Why cause you carry clout, don't loose it.
 
MartyO said:
Panic is good, real good, to fix problem. But you (Fenderman) gotta learn to call a spade a spade. That's a problem. Why cause you carry clout, don't loose it.
Click to expand...
I didnt say it was not a problem. It was. Its simply not as big a deal as you are making it out to be. There have been MUCH worse vulnerabilities in ip cameras/nvr's or other cloud devices that were not patched for months. This also affected only a small subset of users who run as a service and who recently updated their installation. I doubt there was even a single compromised machine. Panic is never good. Today's patch resolves the problem.
Finally, the issue was totally preventable using a vpn.
 
You must log in or register to reply here.
Top Bottom