2. Axis
  3. OS Vulnerability Scanner

Axis OS Vulnerability Scanner User guide

  • Hello! I am an AI chatbot trained to assist you with the Axis OS Vulnerability Scanner User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
AXISOSVulnerabilityScannerGuide
AXISOSVulnerabilityScannerGuide
Introduction
Introduction
Vulnerabilitiesandrisks
Allsoftwarehasvulnerabilitiesthatcouldpotentiallybeexploited.Vulnerabilitieswillnotautomaticallyintroducerisk.Riskis
denedbytheprobabilityofathreatexploitingavulnerabilityandthepotentialnegativeimpactthatasuccessfulexploitcando.
Reduceanyofthetwoandyoureducetherisk.Cybersecurityisaboutmanagingrisks,andrisksareveryhardtoeliminate.Therisk
leveldependsonhowadevice/softwareisdeployed,operatedandmanaged.Reducingexposure(minimizingtheopportunity)isan
effectivewaytomitigaterisks.AXISOSHardeningGuidedescribesseveralsecuritycontrolsandrecommendationsforminimizing
riskswhendeploying,operatingandmaintaininganAxisdevice.
Somevulnerabilitiesmaybeeasytoexploitwhilesomemayrequireahighlevelofsophistication,aspecialskillsetand/ortimeand
determination.Athreatrequiresphysicalornetworkaccesstothedevice.Somevulnerabilitiesrequireadministratorprivilegesto
exploit.TheCVSS(CommonVulnerabilityScoringSystem)isacommonlyusedmeasuretohelpdeterminehoweasyavulnerability
istoexploitandthepotentialnegativeimpact.Thesescoresareoftenbasedonsoftwareincriticalsystemsorsoftwarethathas
highexposuretousersand/ortheInternet.AxismonitorstheCVE(CommonVulnerabilities&Exposure)databasewhichpublishes
knownvulnerabilitiesinsoftwarefortheCVEentriesthatrelatetotheopen-sourcepackagesusedinAxisdevices.Vulnerabilities
thatAxisidentiesaslimitedriskwillberemediedinfuturermwarereleases.VulnerabilitiesthatAxisidentiesasanincreased
riskwillbetreatedwithpriorityresultinginanunscheduledrmwarepatchorthepublishingofasecurityadvisoryinforming
abouttheriskandrecommendations.
Scanningtoolsreportingfalse-positives
Scanningtoolswilltypicallytrytoidentifyknownvulnerabilitiesbyexaminingversionnumbersofsoftwareandpackagesfound
inadevice.Thereisalwaysthepossibilitythatascanningtoolwillreportafalse-positiveremark,meaningthatthedevicedoes
notactuallyhavethevulnerability.Allremarksfromsuchscanningtoolsneedtobeanalyzedtovalidatethattheyinfactapply
tothedevice.YouneedtomakesurethattheAxisdevicehasthelatestrmwareversionasitmayincludepatchesthataddress
severalvulnerabilities.
Scope
Thisguideiswrittenfor,andcanbeappliedto,allAXISOS-basedproductsthatarerunninganAXISOSLTSoractivetrackrmware.
Legacyproductsrunning4.xxand5.xxrmwarearealsoinscope.
2
AXISOSVulnerabilityScannerGuide
Quickstartguide
Quickstartguide
ItisrecommendedtoperformregularvulnerabilityassessmentsoftheinfrastructuretheAxisdeviceispartofaswellasoftheAxis
deviceitself.Thesevulnerabilityassessmentsareusuallyperformedbynetworksecurityscanners.Thepurposeofavulnerability
assessmentistoprovideasystematicreviewofpotentialsecurityvulnerabilitiesandmiscongurations.Wewouldliketoemphasize
thefollowingrecommendationsbeforescanningtheAxisdeviceforvulnerabilitiesinordertomaximizethequalityofthescanning
reportaswellastoavoidcommonmistakesandfalse-positives.
MakesurethatthermwareoftheAxisdeviceisuptodatewiththelatestavailablerelease,eitherontheAXISOS
long-termsupport(LTS)trackortheactivetrack.ThelatestavailableAXISOSrmwarecanbedownloadedhere.
TherecommendationsinAXISOSHardeningGuideshouldbeappliedbeforescanningtoavoidfalse-positivesaswellas
makingsurethattheAxisdeviceisoperatedaccordingtoAxiscybersecurityrecommendations.
Itisrecommendedtoperformasocalledcredentialedvulnerabilityscanwheree.g.thesecurityscannerisallowedto
logintotheAxisdeviceviaHTTP(S)orSSH.Acredentialedsecurityscanismoreeffectivesincethescansurfaceis
widenedsignicantly.
Weemphasizetheimportanceofconductingthevulnerabilityscanusingwell-establishedpartnerswithabroadknowledge
andadedicatedsetofAxis-specicscanningpluginsonthemarket,suchasTenable,Rapid7,Qualys,orothers.
3
AXISOSVulnerabilityScannerGuide
Mostcommonremarks
Mostcommonremarks
Outdatedsoftwarecomponents
Background
Securityscannershighlightwhenadeviceisrunninganoutdatedversionofasoftwarecomponent.Itmayevenoccurthatthe
securityscannerisunabletodeterminewhatversionisactuallyrunningandagsitanyway.Thesecurityscannersimplycompares
theversionofthesoftwarecomponentsrunningontheAxisdeviceagainstthelatestavailableversion.Thesecurityscannerthen
outputsalistwithsecurityvulnerabilities,evenwithoutconrmationthatthedevicebeingtestedisreallyaffectedassuch.Thishas
beenobservedwiththeLinuxkernel,OpenSSL,Apache,BusyBox,OpenSSH,Curlandothers.
Open-sourcesoftwarecomponentsdoreceivenewfeatures,bugxesandsecuritypatchesthroughoutthecourseoftheir
development,resultinginahighreleasecycle.Therefore,itisnotuncommonthattheAxisdevicebeingtestedisnotrunningthe
latestversionofasoftwarecomponent.However,Axisismonitoringopen-sourcesoftwarecomponentsforsecurityvulnerabilities
thatcouldpotentiallybedeemedcriticalbyAxis,andwillpublishthoseaccordinglyinasecurityadvisory.
Commonreportterms
"AvulnerableversionofLinuxwasfoundtobeutilized"
"Accordingtoitsbanner,theversionofApacherunning"
"Accordingtoitsbanner,theversionofOpenSSLrunning..."
"ServerVersionDisclosure(Header)…"
Riskandrecommendations
FromAXISOS10.6andonwards,it’spossibletodisabletheOpenSSLandApacheheaderinformationbydisablingtheparameter
HTTPServerHeaderCommentsinPlaincong>System.Thismayresultinvulnerabilitiesnotbeingdetectedbysecurity
scannerssincethepackageversionisnoteasilyidentiable.Axisstronglyrecommendstokeepthedevicermwareup-to-date
andencouragestoperformsecurityauditsonyourdevices.
Apachewebserver
Background
Axisdevicesbasetheirwebinterfaceandotherweb-relatedfunctionalityontheApachewebserver.ThewebserverinAxisdevicesis
primarilybeingusedintwoscenarios:
Forgeneralpurposemachine-to-machinecommunicationbetweentheAxisdeviceandthesystemit’sconnectedto,
usuallyavideomanagementsystemthatisaccessingtheAxisdeviceviaAPIinterfacessuchasONVIFandVAPIX.
Theinstaller,administratorsandtheenduserperforming(initial)congurationandmaintenancetasks.
TheApachewebserverisamodule-basedopen-sourcepackage.Theseindividualmodulescancontainvulnerabilities.Belowisalist
ofmodulesthatarecommonlyloadedandusedonAxisdevices:
core_module(static)unixd_module(shared)authn_core_module
(shared)
proxy_fcgi_module
(shared)
authn_en-
coded_user_le_mod-
ule(shared)
so_module(static)alias_module(shared)authz_core_module
(shared)
proxy_http_module
(shared)
authz_urlaccess_mod-
ule(shared)
lter_module(static)rewrite_module
(shared)
authn_le_module
(shared)
proxy_wstunnel_mod-
ule(shared)
trax_module(shared)
brotli_module(static)cgid_module(shared)authz_user_module
(shared)
headers_module
(shared)
iptos_module(shared)
http_module(static)log_cong_module
(shared)
authz_owner_module
(shared)
http2_module(shared)axsyslog_module
(shared)
4
AXISOSVulnerabilityScannerGuide
Mostcommonremarks
suexec_module(static)setenvif_module
(shared)
auth_digest_module
(shared)
systemd_module
(shared)
ws_module(shared)
mime_module(shared)ssl_module(shared)auth_basic_module
(shared)
authn_axisbasic_mod-
ule(shared)
mpm_worker_module
(shared)
socache_shmcb_mod-
ule(shared)
proxy_module(shared)authz_axisgroup-
le_module(shared)
AvulnerabilitythatappliestoacertainmoduleinApacheneedstobeloadedandusedbytheAxisedgedevice.Vulnerabilitiesof
modulesthatarenotloadedarenotrelevant.
Commonreportterms
"ApacheHTTPD:mod_proxy_ftpuseofuninitializedvalue(CVE-2020-1934)"
Riskandrecommendations
ApachevulnerabilitieswilltypicallyincreaseriskforpublicwebservicesexposedtoInternettargetingpublicusers.Thewebserver
inAxisdevicesshouldonlybeusedbyinstallers,administratorsandmaintainers.It’snotrecommendedtoexposeAxisdevicesto
beaccessibleovertheInternet,norshouldusershaveprivilegestouseawebbrowsertoaccessadeviceduringdailyoperations.
AdditionalsecuritycontrolssuchasIPTables,onlyallowingapprovedclientstoaccessanddisabling/preventingwebbrowsersfrom
accessingcanbeappliedtofurtherreducerisks.
OpenSSL
Background
AxisdevicesuseOpenSSLasacommonsecuritycorecomponenttoprovidesecurityfunctionalityfor,e.g.,HTTPS,certicate
andencryptionusecases."OutdatedOpenSSLversion"isacommonscanningremarkonAxisdevices,andnewvulnerabilities
arediscoveredfrequentlyinOpenSSL.
SimilartotheApachewebserver,OpenSSLisamodular-basedplatform;seebelowalistofmodulesthatarenotutilizedby
Axisproducts:
no-camelliano-heartbeatsno-mdc2no-srp
no-capiengno-hwno-rc5no-zlibthreads
no-dtlsno-ideano-sctp
no-dtls1no-md2no-seed
AvulnerabilitythatappliestoacertainmoduleinOpenSSLneedstobeloadedandusedbytheAxisedgedevice.Vulnerabilitiesof
modulesthatarenotloadedarenotrelevantbutmaystillbeaggedbythescanningtool.
Riskandrecommendations
VulnerabilitiesinOpenSSLdonotposeanyrisksifthesystemisnotusingservicessuchasHTTPSor802.1x(TLS),SRTP(RTSPS)
orSNMPv3.ItisnotpossibletocompromisethedeviceitselfasapotentialattackwouldtargettheTLSconnectionsandtrafc.
ExploitingOpenSSLvulnerabilitiesrequiresaccesstothenetwork,ahighskillsetandalotofdetermination.
Self-signedcerticate
Background
Axisdevicescomewithaself-signedcerticatethatisgeneratedautomaticallyuponrstbootinordertoprovidethepossibilityto
accesstheproductviaencryptedHTTPSconnectionandproceedwiththeinitialsetupoftheproduct.Securityscannersmayhighlight
theexistenceoftheself-signedcerticateasinsecureandAxisrecommendsremovingtheself-signedcerticatefromthedevice
andreplacingitwithaservercerticatethatistrustedinyourorganization.Theself-signedcerticateprovidesinthatsensea
condentialandsecuremechanismforinitialcongurationbutrequirestheusertostillchecktheauthenticityofthedeviceitself.
Commonreportterms
"SSLCerticateCannotBeTrusted..."
5
AXISOSVulnerabilityScannerGuide
Mostcommonremarks
"SSLSelf-SignedCerticat"
"X.509CerticateSubjectCNDoesNotMatchtheEntityName..."
Riskandrecommendations
Self-signedcerticatesprovidenetworkencryptionbutdonotprotectfromman-in-the-middleattacks(arougeservice
impersonatingalegitimatenetworkservice).IfusingserviceslikeHTTPSor802.xit’srecommendedtouseCerticateAuthority(CA)
signedcerticates.ThesemustbesuppliedbythesystemownerusingapublicorprivateCA.IfnotusingHTTPSor802.1xthereare
norisks,andvulnerabilitiesintheunderlyingOpenSSLcannotbeusedtocompromisetheAxisdevice.ForAxisdevicesfeaturesAxis
EdgeVault,theself-signedcerticatewasreplacedbytheIEEE802.1ARdeviceIDcerticate.
RSAkeylength
Background
AsAxisdevicescomewithapre-loadedself-signedcerticate,somedeviceshaveashorterkeylengthforthecerticatethanthe
2048-bits.Thecerticateisalsoofanon-standardbitlengthtoensuremostreputableCA’swillrejectasigningrequestofthis.
Securityscannersmayhighlightthisasinsecureanditisrecommendedtoreplacethiscerticatebeforeproductiondeploymentas
itisonlyintendedforinitialsetup.
Commonreportterms
"SSLCerticateChainContainsRSAKeysLessThan2048bits..."
"LengthofRSAmodulusinX.509certicate:1536bits(lessthan2048bits)..."
Riskandrecommendations
Thisvulnerabilitycannotbeusedtocompromisethedevice.Thedefaultself-signedkeylengthofAxisdevicesissetto1536bitsin
ordertoreducetheconnectionlatencyandtimetogeneratethecerticateandkey.Thiskeylengthprovidesenoughprotectionfor
administrativetaskssuchasresettingdeviceaccountpasswordsandinitialsetupoftheAxisdevice.It’srecommendedtoreplacethe
defaultcerticatewithaCA-signedcerticatethatshouldbeprovidedbythesystemowner.
Ciphersettings
Background
Throughoutregularrmwareupdates,thelistofavailableciphersoftheAxisdevicemayreceiveupdateswithouttheactualcipher
congurationbeingchanged.Changingciphercongurationmustbeuser-initiated,eitherbyperformingafactorydefaultofthe
Axisdeviceorviamanualuserconguration.FromAXISOS10.8andonwards,thelistofciphersisautomaticallyupdatedwhen
theuserinitiatesarmwareupdate.
Commonreportterms
"WeakCryptographicKey…"
"TLS/SSLServerSupportsTheUseofStaticKeyCiphers…"
ItisrecommendedtoalwaysusethestrongestciphersforHTTPSencryptionwhenpossible.
TLS1.2andlower:WhenusingTLS1.2orloweryoucanspecifytheHTTPScipherstobeusedinPlainCong>HTTPS>Ciphersfollowed
byarestartoftheAxisdevice.Axisrecommendstoselectalloranyofthefollowingstrong-consideredciphers(updatedSeptember
2021),ortodoadesiredselectionofyourown.
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-
SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
TLS1.3:WhenusingTLS1.3,theHTTPSciphersparameterinPlainConghasnoeffectasperdefault,onlystrongciphersaccording
toTLS1.3willbeselected.Theselectioncannotbechangedbytheuserandisupdatedthrougharmwareupdateifneeded.
Currentlytheciphersare(updatedSeptember2021):
TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
6
AXISOSVulnerabilityScannerGuide
Webserverremarks
Webserverremarks
Boawebserver
Background
Axisdeviceswithrmwareversion5.65andlowerutilizetheBoawebserverforwebinterfaceandweb-relatedfunctionality.The
webserverinAxisdevicesisbeingprimarilyusedintwoscenarios:
Forgeneralpurposemachine-to-machinecommunicationbetweentheAxisdeviceandthesystemitisconnectedto,
usuallyavideomanagementsystemthatisaccessingtheAxisdeviceviaAPIinterfacessuchasONVIFandVAPIX.
Forcongurationandmaintenancetasksperformedbyinstallers,administratorsandendusers.
SimilartothenewerApachewebserverthatisutilizedbyAxisdeviceswithnewerrmware,theBoawebservercanbeaffectedby
vulnerabilities.SecurityscannersmaynotrecognizethewebserverusedinolderAxisdevicesandwillthereforesimplyassume
thatthesedevicesutilizetheApachewebserver.AvulnerabilitythatappliestotheApachewebserverdoesnotapplytotheBoa
webserverbydefaultifnotstatedotherwise.
Commonreportterms
"Accordingtoitsbanner,theversionofApacherunning..."
"TheversionofApachehttpdinstalledontheremotehostispriorto2.4.46.Itis,therefore,affectedbymultiple
vulnerabilities..."
ApacheStrutsandApacheTomcat
Background
AsdescribedinApachewebserveronpage4,Axisdevicesbasetheirwebinterfaceandweb-relatedfunctionalityontheopen-source
Apachewebserver.OtheravorsoftheApachewebserverexist,suchasApacheStrutsorTomcat,butarenotutilizedinAxisdevices.
Axisutilizestheplainopen-sourceApachewebserverimplementationoftheApacheSoftwareFoundation(ASF).
Commonreportterms
"AvulnerabilityhasbeendiscoveredinApacheTomcat..."
"TheJakartamultipartparserinApacheStruts..."
Webusersessions
Background
Axisdevicesbasetheirwebinterfaceandotherweb-relatedfunctionalityontheApachewebserver.ThewebserverinAxisdevicesis
primarilybeingusedintwoscenarios:
Forgeneralpurposemachine-to-machinecommunicationbetweentheAxisdeviceandthesystemit’sconnectedto,which
usuallyisavideomanagementsystemthatisaccessingtheAxisdeviceviaAPIinterfacessuchasONVIFandVAPIX.
Whentheinstaller,administratorsandtheenduserperform(initial)congurationandmaintenancetasks.
Currently,Axisdevicesdonotsupporttraditionalwebuserbasedsessionswhereit'spossibleforthewebsessiontoe.g.logoutor
automaticallyexpireafteracertainamountoftimeofuser-inactivitywhilethebrowserwindowisopen.Everyrequestthroughthe
webserveronanAxisdevicehastobeauthenticatedproperlyinordertobeprocessedbeforethespecicwebsessionisopenfor
furthercommunication.Inordertoactivelycloseawebsession,thebrowserhastobeclosed.
Commonreportterms
"ConcurrentUserSessions…"
"InsufcientSessionTerminationandExpiry…"
"ApplicationLacksLogoutFeature…"
7
AXISOSVulnerabilityScannerGuide
Webserverremarks
Riskandrecommendations
Axisrecommendstoaccessthedevicethroughanapplication,suchasavideomanagementsystem(VMS),asprimaryvideoclient
insteadofusingthewebbrowserifthiswouldbesubjectofconcerns.However,ifthewebbrowseristheonlyvideoclientavailable,
havethefollowingguidelinesinmind:
Donottovisituntrustedwebsitesoropene-mailsfromuntrustedsenders(thisisofcourseageneralcyberprotection
recommendation).
Useadifferentbrowser,whichisnotthesystemdefault,toconguretheAxisdevice.
Createavieweraccountonthedeviceandusethiswhenviewingthevideostream.Thevieweraccounthasminimal
privilegesandnorightstochangethecongurationoftheAxisdevice.
Donotleavethebrowseropenunattendedaftercongurationinordertominimizetheattackwindow.
8
AXISOSVulnerabilityScannerGuide
Firmwareremarks
Firmwareremarks
Axisrmwareversionstring
Background
Axisdisclosesvulnerabilitiesandprovidesupdatedrmwarewithsecurityxessothatcustomerscanupdateandmitigatepotential
risks.SecurityscannersusuallyperformonlyalimitedcomparisonofthermwareversiontheAxisproductisrunningagainstolder,
outdatedrmwarethatmaycontainvulnerabilities.AsecurityscannermaynotrecognizetheAxisrmwarecorrectly,causingthe
scannertoagthermwarerunningasvulnerableorinsecure.Alwaysconsultthereleasenotesforthermwareversionofthe
productbeingtestedsinceseriousorcriticalvulnerabilitypatchesarelistedinthisdocument.
ItmaycauseconfusioniftheAxisdeviceisrunningacustomrmwareversionorifthesecurityscannerisnotupdatedwiththe
latestinformationofavailableAxisrmware.BelowaresomeexamplesofAxisrmwareversionstrings:
9.70.1
9.70.1_beta
9.70.1.5
Commonreportterms
"AxisMultipleVulnerabilities(ACV-128401)..."
Linuxdistributionandbuilt-inpackagemanager
Background
Securityscannersmaysupportasocalled"credentialedscan"usinglogindataviaweb-login(HTTP)orviathemaintenanceaccess
(SSH)inordertogetmoreinformationaboutthedevice,itsoperatingsystemandothersoftwarethatmightrunonit.TheLinux
distributionisaPoky(OpenEmbedded)versionwithbothlocalandupstreampatchesthatmaynotmatchorcanberecognized
assuchbythesecurityscanner.Furthermore,thesecurityscannermayexpecttheusageofapackagemanager,whichisnot
usedinAxisproducts.
BelowisacomparisonofthenamingschemebetweentheAxis-useddistributionandastandardLinuxdistribution.Notethatthe
lattermayberecognizedbythesecurityscannerandpasswhiletheAxisversionmaynot.Toillustratethis,wehavetheAxis-specic
4.9.206-axisandLinux-generic54.9.206-genericversionstrings.
Commonreportterms
"LocalsecuritycheckshaveNOTbeenenabledbecausetheremoteLinuxdistributionisnotsupported..."
Unencryptedrmwareandchip
Background
SecurityscannersmayhighlighttheusageofashchipsusedintheAxisdeviceandmarkthemorthelesystemsassuchwith
"unencrypted".Axisdevicesdoencryptusersecretssuchaspasswords,certicates,keysandotherleswithoutnecessarilyencrypting
thelesystem.RemovablelocalstoragesuchasSDcardsareencryptedusingLUKSencryption.
Commonreportterms
"Theashchipthatcontainstherootlesystemofthedeviceisnotencrypted...."
"Informationwasextractedfromtheunencryptedrmwareimage,including...."
Riskandrecommendations
Thisvulnerabilitycannotbeusedtocompromisethedevice.Thermwaredoesnotcontainanysecretsbydefaultandneedsnoother
protectionthanthermwaresignaturetovalidatetheintegrity.Encryptedsoftwaremakesitharderforsecurityresearchersto
identifynew(unknown)vulnerabilities,andencryptedsoftwaremaybeusedbyvendorstohidedeliberateaws(securitythrough
obscurity).ForAxisdevices,rootaccessisrequiredtoaccessthelesystemofthedevicetogainaccesstoit.Sensitiveinformation
suchaspasswordsarestoredencryptedonthelesystemandrequireahighlevelofsophistication,skillset,timeanddetermination
9
AXISOSVulnerabilityScannerGuide
Firmwareremarks
toextract.Makesuretouseastrongrootpasswordandkeepitprotected.Usingthesamepasswordformultiplecamerassimplies
managementbutincreasestheriskifonecamera’ssecuritybeingcompromised.
Bootloader
Background
SecurityscannersmaybelievethattheyhaveidentiedthemakeandmodelofthebootloaderimplementationusedinAxisdevices
andcouldthereforehighlightvulnerabilitiesrelatedtosecurebootorthebootloaderitself.Axisnetworkvideoandnetworkaudio
productsutilizeanin-housedevelopedbootloaderreferredtoasnandboot/netboot.
Commonreportterms
"AvulnerabilityinallversionsoftheGRUB2bootloaderhasbeendetected..."
"AnissuewasdiscoveredinDasU-Bootthrough2019.07..."
10
AXISOSVulnerabilityScannerGuide
Networkremarks
Networkremarks
TCP/ICMPtimestampresponse
Background
WhileTCPandICMPtimestampinformationismostoftenusedasnetworktoolstomeasureperformanceandavailabilityofhosts,it
canalsobeusedtondtime-relatedinformationaboutthenetworkdeviceitself.TheICMPtimestampinformationinICMPtype13
(timestamprequest)andICMPtype14(timestampreply)communicationprovidesinformationthatcouldbeusedtocalculatethe
actualdevicetimeinUTC.TheTCPtimestampinformationcanbeusedtocalculatethesocalledround-triptime(RTT)information
betweentwonetworkhosts,whichwouldmakeitpossibletocalculatethecurrentuptimeoftheAxisdevice.
SecurityscannersmayagtheexistenceofTCPandICMPtimestampresponsesfromAxisdevicesandrecommendtodisableTCPand
ICMPtimestampresponseswheneverpossible.AxisfollowstherecommendationoftheLinuxopen-sourcecommunitywhichdoes
notconsidertheactualdate/timeinformationprovidedfromtheseresponsesasasecurityriskbyitself.ThereforetheTCP/ICMP
timestampresponsesarestillenabledbydefault.Furthermore,innewerLinuxKernelversionstheactualcalculationisconsidered
unreliableascounter-measuresensuretomakeitunreliabletocalculatethedate/timeinformation.Asoftoday(February2022),no
knownvulnerabilitiesorexploitshavebeendisclosedthatwouldjustifydisablingtheseservicesinAxisdevices.
Commonreportterms
"TCPtimestampresponsefound…"
"ICMPtimestampresponsefound…"
HTTP(S),HSTSpolicy
Background
AxisdevicesareconguredbydefaulttoallowHTTPandHTTPSconnections.Itisrecommendedtomakeuseoftherst-boot
generatedself-signedcerticateinordertoperformtherstinitialcongurationoftheAxisdeviceinHTTPSmodeandtoswitchthe
congurationtoonlyallowforHTTPSconnections.HTTPScanbeenforcede.g.fromthewebinterfaceoftheAxisdevicefollowing
Settings>System>Security.Furthermore,usingHSTS(HTTPStrictTransportSecurity)tofurtherincreasedevicesecurityis
automaticallyenabledonlywhentheAxisdeviceisoperatedinHTTPS-onlymode.HSTSissupportedinthe2018LTS(8.40),
2020LTS(9.80)andtheAXISOS10.1activetrack.
SecurityscannersmayhighlightthattheAxisdevicebeingtestedisconguredtoallowHTTPonlyorHTTP&HTTPSatthesame
time.ThedetectionisusuallyperformedbyvalidatingtheresponsefromandcheckingtheportstatusofthestandardHTTPport
80.AxisrecommendstousethedeviceinHTTPSmodeonlybyconguringthisaccordingly.Manysecurityscannerauditsare
performedonAxisdeviceswherethisspecicHTTPS-onlycongurationisnotenforcedbyallowingtheAxisdevicetorespond
toHTTPand/orHTTPSconnections.
Commonreportterms
"HTTP(Port80)insecurechanneldetected..."
"WebPortalAllowsUnencryptedHTTPConnectionsByDefault..."
"TheremotewebserverisnotenforcingHSTS,asdenedbyRFC6797..."
"InsufcientTransportLayerSecurity…"
11
AXISOSVulnerabilityScannerGuide
Hardwareremarks
Hardwareremarks
Architecturevulnerabilities
Background
Certainvulnerabilitiesmaydependontheprocessorarchitecturethatadeviceisusing.Axisedgedevices,suchascameras,
encoders,wearables,audioandintercomproducts,arebasedonMIPSandARMarchitectureandare,e.g.,notaffectedbyx64or
x86architecture-basedvulnerabilities.
Commonreportterms
"OpenSSLrsaz_512_sqroverowbugonx86_64(CVE-2019-1551)..."
"x64_64Montgomerysquaringprocedure..."
UART/Serialconsole
Background
PhysicalinspectionofthehardwareofanAxisdevicemayhighlighttheexistenceofaUART(UniversalAsynchronousReceiver
Transmitter)orserialconsole.Axisreferstothisasadebugport.Thedebugportisonlyusedfordevelopmentanddebugging
purposesduringengineeringprojects.Whilenosensitiveinformationisexposedwhilebeingunauthenticated,theaccesstothe
debugportispasswordrestrictedandonlytherootusermaylogin.FromAXISOS10.11andonwards,theUART/serialconsoleis
disabledbydefaultandcanonlybeenabledafterunlockingitviaadevice-uniquecustomrmwarecerticate.Thisisprovidedby
Axisonlyandcannotbegeneratedinanyotherway.
Commonreportterms
"InformationDisclosureviaUART/SerialConsole..."
"RootShellviaUART/SerialConsole..."
"OnthePCB,theheadersexposedaUARTconsole..."
12
Ver.M3.2
AXISOSVulnerabilityScannerGuideDate:August2022
©AxisCommunicationsAB,2022PartNo.
/