Axis OS Vulnerability Scanner is a powerful tool that enables you to assess the security posture of your Axis devices and identify potential vulnerabilities. With its advanced scanning capabilities, it provides comprehensive insights into the security risks associated with outdated software components, Apache web server configurations, and OpenSSL vulnerabilities, allowing you to take proactive measures to mitigate these risks and enhance the overall security of your network.
Axis OS Vulnerability Scanner is a powerful tool that enables you to assess the security posture of your Axis devices and identify potential vulnerabilities. With its advanced scanning capabilities, it provides comprehensive insights into the security risks associated with outdated software components, Apache web server configurations, and OpenSSL vulnerabilities, allowing you to take proactive measures to mitigate these risks and enhance the overall security of your network.
AXISOSVulnerabilityScannerGuide
AXISOSVulnerabilityScannerGuide
Introduction
Introduction
Vulnerabilitiesandrisks
Allsoftwarehasvulnerabilitiesthatcouldpotentiallybeexploited.Vulnerabilitieswillnotautomaticallyintroducerisk.Riskis
denedbytheprobabilityofathreatexploitingavulnerabilityandthepotentialnegativeimpactthatasuccessfulexploitcando.
Reduceanyofthetwoandyoureducetherisk.Cybersecurityisaboutmanagingrisks,andrisksareveryhardtoeliminate.Therisk
leveldependsonhowadevice/softwareisdeployed,operatedandmanaged.Reducingexposure(minimizingtheopportunity)isan
effectivewaytomitigaterisks.AXISOSHardeningGuidedescribesseveralsecuritycontrolsandrecommendationsforminimizing
riskswhendeploying,operatingandmaintaininganAxisdevice.
Somevulnerabilitiesmaybeeasytoexploitwhilesomemayrequireahighlevelofsophistication,aspecialskillsetand/ortimeand
determination.Athreatrequiresphysicalornetworkaccesstothedevice.Somevulnerabilitiesrequireadministratorprivilegesto
exploit.TheCVSS(CommonVulnerabilityScoringSystem)isacommonlyusedmeasuretohelpdeterminehoweasyavulnerability
istoexploitandthepotentialnegativeimpact.Thesescoresareoftenbasedonsoftwareincriticalsystemsorsoftwarethathas
highexposuretousersand/ortheInternet.AxismonitorstheCVE(CommonVulnerabilities&Exposure)databasewhichpublishes
knownvulnerabilitiesinsoftwarefortheCVEentriesthatrelatetotheopen-sourcepackagesusedinAxisdevices.Vulnerabilities
thatAxisidentiesaslimitedriskwillberemediedinfuturermwarereleases.VulnerabilitiesthatAxisidentiesasanincreased
riskwillbetreatedwithpriorityresultinginanunscheduledrmwarepatchorthepublishingofasecurityadvisoryinforming
abouttheriskandrecommendations.
Scanningtoolsreportingfalse-positives
Scanningtoolswilltypicallytrytoidentifyknownvulnerabilitiesbyexaminingversionnumbersofsoftwareandpackagesfound
inadevice.Thereisalwaysthepossibilitythatascanningtoolwillreportafalse-positiveremark,meaningthatthedevicedoes
notactuallyhavethevulnerability.Allremarksfromsuchscanningtoolsneedtobeanalyzedtovalidatethattheyinfactapply
tothedevice.YouneedtomakesurethattheAxisdevicehasthelatestrmwareversionasitmayincludepatchesthataddress
severalvulnerabilities.
Scope
Thisguideiswrittenfor,andcanbeappliedto,allAXISOS-basedproductsthatarerunninganAXISOSLTSoractivetrackrmware.
Legacyproductsrunning4.xxand5.xxrmwarearealsoinscope.
2
AXISOSVulnerabilityScannerGuide
Quickstartguide
Quickstartguide
ItisrecommendedtoperformregularvulnerabilityassessmentsoftheinfrastructuretheAxisdeviceispartofaswellasoftheAxis
deviceitself.Thesevulnerabilityassessmentsareusuallyperformedbynetworksecurityscanners.Thepurposeofavulnerability
assessmentistoprovideasystematicreviewofpotentialsecurityvulnerabilitiesandmiscongurations.Wewouldliketoemphasize
thefollowingrecommendationsbeforescanningtheAxisdeviceforvulnerabilitiesinordertomaximizethequalityofthescanning
reportaswellastoavoidcommonmistakesandfalse-positives.
•MakesurethatthermwareoftheAxisdeviceisuptodatewiththelatestavailablerelease,eitherontheAXISOS
long-termsupport(LTS)trackortheactivetrack.ThelatestavailableAXISOSrmwarecanbedownloadedhere.
•TherecommendationsinAXISOSHardeningGuideshouldbeappliedbeforescanningtoavoidfalse-positivesaswellas
makingsurethattheAxisdeviceisoperatedaccordingtoAxiscybersecurityrecommendations.
•Itisrecommendedtoperformasocalledcredentialedvulnerabilityscanwheree.g.thesecurityscannerisallowedto
logintotheAxisdeviceviaHTTP(S)orSSH.Acredentialedsecurityscanismoreeffectivesincethescansurfaceis
widenedsignicantly.
•Weemphasizetheimportanceofconductingthevulnerabilityscanusingwell-establishedpartnerswithabroadknowledge
andadedicatedsetofAxis-specicscanningpluginsonthemarket,suchasTenable,Rapid7,Qualys,orothers.
3
AXISOSVulnerabilityScannerGuide
Mostcommonremarks
Mostcommonremarks
Outdatedsoftwarecomponents
Background
Securityscannershighlightwhenadeviceisrunninganoutdatedversionofasoftwarecomponent.Itmayevenoccurthatthe
securityscannerisunabletodeterminewhatversionisactuallyrunningandagsitanyway.Thesecurityscannersimplycompares
theversionofthesoftwarecomponentsrunningontheAxisdeviceagainstthelatestavailableversion.Thesecurityscannerthen
outputsalistwithsecurityvulnerabilities,evenwithoutconrmationthatthedevicebeingtestedisreallyaffectedassuch.Thishas
beenobservedwiththeLinuxkernel,OpenSSL,Apache,BusyBox,OpenSSH,Curlandothers.
Open-sourcesoftwarecomponentsdoreceivenewfeatures,bugxesandsecuritypatchesthroughoutthecourseoftheir
development,resultinginahighreleasecycle.Therefore,itisnotuncommonthattheAxisdevicebeingtestedisnotrunningthe
latestversionofasoftwarecomponent.However,Axisismonitoringopen-sourcesoftwarecomponentsforsecurityvulnerabilities
thatcouldpotentiallybedeemedcriticalbyAxis,andwillpublishthoseaccordinglyinasecurityadvisory.
Commonreportterms
•"AvulnerableversionofLinuxwasfoundtobeutilized"
•"Accordingtoitsbanner,theversionofApacherunning"
•"Accordingtoitsbanner,theversionofOpenSSLrunning..."
•"ServerVersionDisclosure(Header)…"
Riskandrecommendations
FromAXISOS10.6andonwards,it’spossibletodisabletheOpenSSLandApacheheaderinformationbydisablingtheparameter
HTTPServerHeaderCommentsinPlaincong>System.Thismayresultinvulnerabilitiesnotbeingdetectedbysecurity
scannerssincethepackageversionisnoteasilyidentiable.Axisstronglyrecommendstokeepthedevicermwareup-to-date
andencouragestoperformsecurityauditsonyourdevices.
Apachewebserver
Background
Axisdevicesbasetheirwebinterfaceandotherweb-relatedfunctionalityontheApachewebserver.ThewebserverinAxisdevicesis
primarilybeingusedintwoscenarios:
•Forgeneralpurposemachine-to-machinecommunicationbetweentheAxisdeviceandthesystemit’sconnectedto,
usuallyavideomanagementsystemthatisaccessingtheAxisdeviceviaAPIinterfacessuchasONVIFandVAPIX.
•Theinstaller,administratorsandtheenduserperforming(initial)congurationandmaintenancetasks.
TheApachewebserverisamodule-basedopen-sourcepackage.Theseindividualmodulescancontainvulnerabilities.Belowisalist
ofmodulesthatarecommonlyloadedandusedonAxisdevices:
core_module(static)unixd_module(shared)authn_core_module
(shared)
proxy_fcgi_module
(shared)
authn_en-
coded_user_le_mod-
ule(shared)
so_module(static)alias_module(shared)authz_core_module
(shared)
proxy_http_module
(shared)
authz_urlaccess_mod-
ule(shared)
lter_module(static)rewrite_module
(shared)
authn_le_module
(shared)
proxy_wstunnel_mod-
ule(shared)
trax_module(shared)
brotli_module(static)cgid_module(shared)authz_user_module
(shared)
headers_module
(shared)
iptos_module(shared)
http_module(static)log_cong_module
(shared)
authz_owner_module
(shared)
http2_module(shared)axsyslog_module
(shared)
4
AXISOSVulnerabilityScannerGuide
Mostcommonremarks
suexec_module(static)setenvif_module
(shared)
auth_digest_module
(shared)
systemd_module
(shared)
ws_module(shared)
mime_module(shared)ssl_module(shared)auth_basic_module
(shared)
authn_axisbasic_mod-
ule(shared)
mpm_worker_module
(shared)
socache_shmcb_mod-
ule(shared)
proxy_module(shared)authz_axisgroup-
le_module(shared)
AvulnerabilitythatappliestoacertainmoduleinApacheneedstobeloadedandusedbytheAxisedgedevice.Vulnerabilitiesof
modulesthatarenotloadedarenotrelevant.
Commonreportterms
•"ApacheHTTPD:mod_proxy_ftpuseofuninitializedvalue(CVE-2020-1934)"
Riskandrecommendations
ApachevulnerabilitieswilltypicallyincreaseriskforpublicwebservicesexposedtoInternettargetingpublicusers.Thewebserver
inAxisdevicesshouldonlybeusedbyinstallers,administratorsandmaintainers.It’snotrecommendedtoexposeAxisdevicesto
beaccessibleovertheInternet,norshouldusershaveprivilegestouseawebbrowsertoaccessadeviceduringdailyoperations.
AdditionalsecuritycontrolssuchasIPTables,onlyallowingapprovedclientstoaccessanddisabling/preventingwebbrowsersfrom
accessingcanbeappliedtofurtherreducerisks.
OpenSSL
Background
AxisdevicesuseOpenSSLasacommonsecuritycorecomponenttoprovidesecurityfunctionalityfor,e.g.,HTTPS,certicate
andencryptionusecases."OutdatedOpenSSLversion"isacommonscanningremarkonAxisdevices,andnewvulnerabilities
arediscoveredfrequentlyinOpenSSL.
SimilartotheApachewebserver,OpenSSLisamodular-basedplatform;seebelowalistofmodulesthatarenotutilizedby
Axisproducts:
no-camelliano-heartbeatsno-mdc2no-srp
no-capiengno-hwno-rc5no-zlibthreads
no-dtlsno-ideano-sctp
no-dtls1no-md2no-seed
AvulnerabilitythatappliestoacertainmoduleinOpenSSLneedstobeloadedandusedbytheAxisedgedevice.Vulnerabilitiesof
modulesthatarenotloadedarenotrelevantbutmaystillbeaggedbythescanningtool.
Riskandrecommendations
VulnerabilitiesinOpenSSLdonotposeanyrisksifthesystemisnotusingservicessuchasHTTPSor802.1x(TLS),SRTP(RTSPS)
orSNMPv3.ItisnotpossibletocompromisethedeviceitselfasapotentialattackwouldtargettheTLSconnectionsandtrafc.
ExploitingOpenSSLvulnerabilitiesrequiresaccesstothenetwork,ahighskillsetandalotofdetermination.
Self-signedcerticate
Background
Axisdevicescomewithaself-signedcerticatethatisgeneratedautomaticallyuponrstbootinordertoprovidethepossibilityto
accesstheproductviaencryptedHTTPSconnectionandproceedwiththeinitialsetupoftheproduct.Securityscannersmayhighlight
theexistenceoftheself-signedcerticateasinsecureandAxisrecommendsremovingtheself-signedcerticatefromthedevice
andreplacingitwithaservercerticatethatistrustedinyourorganization.Theself-signedcerticateprovidesinthatsensea
condentialandsecuremechanismforinitialcongurationbutrequirestheusertostillchecktheauthenticityofthedeviceitself.
Commonreportterms
•"SSLCerticateCannotBeTrusted..."
5
AXISOSVulnerabilityScannerGuide
Mostcommonremarks
•"SSLSelf-SignedCerticat"
•"X.509CerticateSubjectCNDoesNotMatchtheEntityName..."
Riskandrecommendations
Self-signedcerticatesprovidenetworkencryptionbutdonotprotectfromman-in-the-middleattacks(arougeservice
impersonatingalegitimatenetworkservice).IfusingserviceslikeHTTPSor802.xit’srecommendedtouseCerticateAuthority(CA)
signedcerticates.ThesemustbesuppliedbythesystemownerusingapublicorprivateCA.IfnotusingHTTPSor802.1xthereare
norisks,andvulnerabilitiesintheunderlyingOpenSSLcannotbeusedtocompromisetheAxisdevice.ForAxisdevicesfeaturesAxis
EdgeVault,theself-signedcerticatewasreplacedbytheIEEE802.1ARdeviceIDcerticate.
RSAkeylength
Background
AsAxisdevicescomewithapre-loadedself-signedcerticate,somedeviceshaveashorterkeylengthforthecerticatethanthe
2048-bits.Thecerticateisalsoofanon-standardbitlengthtoensuremostreputableCA’swillrejectasigningrequestofthis.
Securityscannersmayhighlightthisasinsecureanditisrecommendedtoreplacethiscerticatebeforeproductiondeploymentas
itisonlyintendedforinitialsetup.
Commonreportterms
•"SSLCerticateChainContainsRSAKeysLessThan2048bits..."
•"LengthofRSAmodulusinX.509certicate:1536bits(lessthan2048bits)..."
Riskandrecommendations
Thisvulnerabilitycannotbeusedtocompromisethedevice.Thedefaultself-signedkeylengthofAxisdevicesissetto1536bitsin
ordertoreducetheconnectionlatencyandtimetogeneratethecerticateandkey.Thiskeylengthprovidesenoughprotectionfor
administrativetaskssuchasresettingdeviceaccountpasswordsandinitialsetupoftheAxisdevice.It’srecommendedtoreplacethe
defaultcerticatewithaCA-signedcerticatethatshouldbeprovidedbythesystemowner.
Ciphersettings
Background
Throughoutregularrmwareupdates,thelistofavailableciphersoftheAxisdevicemayreceiveupdateswithouttheactualcipher
congurationbeingchanged.Changingciphercongurationmustbeuser-initiated,eitherbyperformingafactorydefaultofthe
Axisdeviceorviamanualuserconguration.FromAXISOS10.8andonwards,thelistofciphersisautomaticallyupdatedwhen
theuserinitiatesarmwareupdate.
Commonreportterms
•"WeakCryptographicKey…"
•"TLS/SSLServerSupportsTheUseofStaticKeyCiphers…"
ItisrecommendedtoalwaysusethestrongestciphersforHTTPSencryptionwhenpossible.
TLS1.2andlower:WhenusingTLS1.2orloweryoucanspecifytheHTTPScipherstobeusedinPlainCong>HTTPS>Ciphersfollowed
byarestartoftheAxisdevice.Axisrecommendstoselectalloranyofthefollowingstrong-consideredciphers(updatedSeptember
2021),ortodoadesiredselectionofyourown.
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-
SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
TLS1.3:WhenusingTLS1.3,theHTTPSciphersparameterinPlainConghasnoeffectasperdefault,onlystrongciphersaccording
toTLS1.3willbeselected.Theselectioncannotbechangedbytheuserandisupdatedthrougharmwareupdateifneeded.
Currentlytheciphersare(updatedSeptember2021):
TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
6
AXISOSVulnerabilityScannerGuide
Webserverremarks
Webserverremarks
Boawebserver
Background
Axisdeviceswithrmwareversion5.65andlowerutilizetheBoawebserverforwebinterfaceandweb-relatedfunctionality.The
webserverinAxisdevicesisbeingprimarilyusedintwoscenarios:
•Forgeneralpurposemachine-to-machinecommunicationbetweentheAxisdeviceandthesystemitisconnectedto,
usuallyavideomanagementsystemthatisaccessingtheAxisdeviceviaAPIinterfacessuchasONVIFandVAPIX.
•Forcongurationandmaintenancetasksperformedbyinstallers,administratorsandendusers.
SimilartothenewerApachewebserverthatisutilizedbyAxisdeviceswithnewerrmware,theBoawebservercanbeaffectedby
vulnerabilities.SecurityscannersmaynotrecognizethewebserverusedinolderAxisdevicesandwillthereforesimplyassume
thatthesedevicesutilizetheApachewebserver.AvulnerabilitythatappliestotheApachewebserverdoesnotapplytotheBoa
webserverbydefaultifnotstatedotherwise.
Commonreportterms
•"Accordingtoitsbanner,theversionofApacherunning..."
•"TheversionofApachehttpdinstalledontheremotehostispriorto2.4.46.Itis,therefore,affectedbymultiple
vulnerabilities..."
ApacheStrutsandApacheTomcat
Background
AsdescribedinApachewebserveronpage4,Axisdevicesbasetheirwebinterfaceandweb-relatedfunctionalityontheopen-source
Apachewebserver.OtheravorsoftheApachewebserverexist,suchasApacheStrutsorTomcat,butarenotutilizedinAxisdevices.
Axisutilizestheplainopen-sourceApachewebserverimplementationoftheApacheSoftwareFoundation(ASF).
Commonreportterms
•"AvulnerabilityhasbeendiscoveredinApacheTomcat..."
•"TheJakartamultipartparserinApacheStruts..."
Webusersessions
Background
Axisdevicesbasetheirwebinterfaceandotherweb-relatedfunctionalityontheApachewebserver.ThewebserverinAxisdevicesis
primarilybeingusedintwoscenarios:
•Forgeneralpurposemachine-to-machinecommunicationbetweentheAxisdeviceandthesystemit’sconnectedto,which
usuallyisavideomanagementsystemthatisaccessingtheAxisdeviceviaAPIinterfacessuchasONVIFandVAPIX.
•Whentheinstaller,administratorsandtheenduserperform(initial)congurationandmaintenancetasks.
Currently,Axisdevicesdonotsupporttraditionalwebuserbasedsessionswhereit'spossibleforthewebsessiontoe.g.logoutor
automaticallyexpireafteracertainamountoftimeofuser-inactivitywhilethebrowserwindowisopen.Everyrequestthroughthe
webserveronanAxisdevicehastobeauthenticatedproperlyinordertobeprocessedbeforethespecicwebsessionisopenfor
furthercommunication.Inordertoactivelycloseawebsession,thebrowserhastobeclosed.
Commonreportterms
•"ConcurrentUserSessions…"
•"InsufcientSessionTerminationandExpiry…"
•"ApplicationLacksLogoutFeature…"
7
AXISOSVulnerabilityScannerGuide
Webserverremarks
Riskandrecommendations
Axisrecommendstoaccessthedevicethroughanapplication,suchasavideomanagementsystem(VMS),asprimaryvideoclient
insteadofusingthewebbrowserifthiswouldbesubjectofconcerns.However,ifthewebbrowseristheonlyvideoclientavailable,
havethefollowingguidelinesinmind:
•Donottovisituntrustedwebsitesoropene-mailsfromuntrustedsenders(thisisofcourseageneralcyberprotection
recommendation).
•Useadifferentbrowser,whichisnotthesystemdefault,toconguretheAxisdevice.
•Createavieweraccountonthedeviceandusethiswhenviewingthevideostream.Thevieweraccounthasminimal
privilegesandnorightstochangethecongurationoftheAxisdevice.
•Donotleavethebrowseropenunattendedaftercongurationinordertominimizetheattackwindow.
8
AXISOSVulnerabilityScannerGuide
Firmwareremarks
Firmwareremarks
Axisrmwareversionstring
Background
Axisdisclosesvulnerabilitiesandprovidesupdatedrmwarewithsecurityxessothatcustomerscanupdateandmitigatepotential
risks.SecurityscannersusuallyperformonlyalimitedcomparisonofthermwareversiontheAxisproductisrunningagainstolder,
outdatedrmwarethatmaycontainvulnerabilities.AsecurityscannermaynotrecognizetheAxisrmwarecorrectly,causingthe
scannertoagthermwarerunningasvulnerableorinsecure.Alwaysconsultthereleasenotesforthermwareversionofthe
productbeingtestedsinceseriousorcriticalvulnerabilitypatchesarelistedinthisdocument.
ItmaycauseconfusioniftheAxisdeviceisrunningacustomrmwareversionorifthesecurityscannerisnotupdatedwiththe
latestinformationofavailableAxisrmware.BelowaresomeexamplesofAxisrmwareversionstrings:
•9.70.1
•9.70.1_beta
•9.70.1.5
Commonreportterms
•"AxisMultipleVulnerabilities(ACV-128401)..."
Linuxdistributionandbuilt-inpackagemanager
Background
Securityscannersmaysupportasocalled"credentialedscan"usinglogindataviaweb-login(HTTP)orviathemaintenanceaccess
(SSH)inordertogetmoreinformationaboutthedevice,itsoperatingsystemandothersoftwarethatmightrunonit.TheLinux
distributionisaPoky(OpenEmbedded)versionwithbothlocalandupstreampatchesthatmaynotmatchorcanberecognized
assuchbythesecurityscanner.Furthermore,thesecurityscannermayexpecttheusageofapackagemanager,whichisnot
usedinAxisproducts.
BelowisacomparisonofthenamingschemebetweentheAxis-useddistributionandastandardLinuxdistribution.Notethatthe
lattermayberecognizedbythesecurityscannerandpasswhiletheAxisversionmaynot.Toillustratethis,wehavetheAxis-specic
4.9.206-axisandLinux-generic54.9.206-genericversionstrings.
Commonreportterms
•"LocalsecuritycheckshaveNOTbeenenabledbecausetheremoteLinuxdistributionisnotsupported..."
Unencryptedrmwareandchip
Background
SecurityscannersmayhighlighttheusageofashchipsusedintheAxisdeviceandmarkthemorthelesystemsassuchwith
"unencrypted".Axisdevicesdoencryptusersecretssuchaspasswords,certicates,keysandotherleswithoutnecessarilyencrypting
thelesystem.RemovablelocalstoragesuchasSDcardsareencryptedusingLUKSencryption.
Commonreportterms
•"Theashchipthatcontainstherootlesystemofthedeviceisnotencrypted...."
•"Informationwasextractedfromtheunencryptedrmwareimage,including...."
Riskandrecommendations
Thisvulnerabilitycannotbeusedtocompromisethedevice.Thermwaredoesnotcontainanysecretsbydefaultandneedsnoother
protectionthanthermwaresignaturetovalidatetheintegrity.Encryptedsoftwaremakesitharderforsecurityresearchersto
identifynew(unknown)vulnerabilities,andencryptedsoftwaremaybeusedbyvendorstohidedeliberateaws(securitythrough
obscurity).ForAxisdevices,rootaccessisrequiredtoaccessthelesystemofthedevicetogainaccesstoit.Sensitiveinformation
suchaspasswordsarestoredencryptedonthelesystemandrequireahighlevelofsophistication,skillset,timeanddetermination
9
AXISOSVulnerabilityScannerGuide
Firmwareremarks
toextract.Makesuretouseastrongrootpasswordandkeepitprotected.Usingthesamepasswordformultiplecamerassimplies
managementbutincreasestheriskifonecamera’ssecuritybeingcompromised.
Bootloader
Background
SecurityscannersmaybelievethattheyhaveidentiedthemakeandmodelofthebootloaderimplementationusedinAxisdevices
andcouldthereforehighlightvulnerabilitiesrelatedtosecurebootorthebootloaderitself.Axisnetworkvideoandnetworkaudio
productsutilizeanin-housedevelopedbootloaderreferredtoasnandboot/netboot.
Commonreportterms
•"AvulnerabilityinallversionsoftheGRUB2bootloaderhasbeendetected..."
•"AnissuewasdiscoveredinDasU-Bootthrough2019.07..."
10
AXISOSVulnerabilityScannerGuide
Networkremarks
Networkremarks
TCP/ICMPtimestampresponse
Background
WhileTCPandICMPtimestampinformationismostoftenusedasnetworktoolstomeasureperformanceandavailabilityofhosts,it
canalsobeusedtondtime-relatedinformationaboutthenetworkdeviceitself.TheICMPtimestampinformationinICMPtype13
(timestamprequest)andICMPtype14(timestampreply)communicationprovidesinformationthatcouldbeusedtocalculatethe
actualdevicetimeinUTC.TheTCPtimestampinformationcanbeusedtocalculatethesocalledround-triptime(RTT)information
betweentwonetworkhosts,whichwouldmakeitpossibletocalculatethecurrentuptimeoftheAxisdevice.
SecurityscannersmayagtheexistenceofTCPandICMPtimestampresponsesfromAxisdevicesandrecommendtodisableTCPand
ICMPtimestampresponseswheneverpossible.AxisfollowstherecommendationoftheLinuxopen-sourcecommunitywhichdoes
notconsidertheactualdate/timeinformationprovidedfromtheseresponsesasasecurityriskbyitself.ThereforetheTCP/ICMP
timestampresponsesarestillenabledbydefault.Furthermore,innewerLinuxKernelversionstheactualcalculationisconsidered
unreliableascounter-measuresensuretomakeitunreliabletocalculatethedate/timeinformation.Asoftoday(February2022),no
knownvulnerabilitiesorexploitshavebeendisclosedthatwouldjustifydisablingtheseservicesinAxisdevices.
Commonreportterms
•"TCPtimestampresponsefound…"
•"ICMPtimestampresponsefound…"
HTTP(S),HSTSpolicy
Background
AxisdevicesareconguredbydefaulttoallowHTTPandHTTPSconnections.Itisrecommendedtomakeuseoftherst-boot
generatedself-signedcerticateinordertoperformtherstinitialcongurationoftheAxisdeviceinHTTPSmodeandtoswitchthe
congurationtoonlyallowforHTTPSconnections.HTTPScanbeenforcede.g.fromthewebinterfaceoftheAxisdevicefollowing
Settings>System>Security.Furthermore,usingHSTS(HTTPStrictTransportSecurity)tofurtherincreasedevicesecurityis
automaticallyenabledonlywhentheAxisdeviceisoperatedinHTTPS-onlymode.HSTSissupportedinthe2018LTS(8.40),
2020LTS(9.80)andtheAXISOS10.1activetrack.
SecurityscannersmayhighlightthattheAxisdevicebeingtestedisconguredtoallowHTTPonlyorHTTP&HTTPSatthesame
time.ThedetectionisusuallyperformedbyvalidatingtheresponsefromandcheckingtheportstatusofthestandardHTTPport
80.AxisrecommendstousethedeviceinHTTPSmodeonlybyconguringthisaccordingly.Manysecurityscannerauditsare
performedonAxisdeviceswherethisspecicHTTPS-onlycongurationisnotenforcedbyallowingtheAxisdevicetorespond
toHTTPand/orHTTPSconnections.
Commonreportterms
•"HTTP(Port80)insecurechanneldetected..."
•"WebPortalAllowsUnencryptedHTTPConnectionsByDefault..."
•"TheremotewebserverisnotenforcingHSTS,asdenedbyRFC6797..."
•"InsufcientTransportLayerSecurity…"
11
AXISOSVulnerabilityScannerGuide
Hardwareremarks
Hardwareremarks
Architecturevulnerabilities
Background
Certainvulnerabilitiesmaydependontheprocessorarchitecturethatadeviceisusing.Axisedgedevices,suchascameras,
encoders,wearables,audioandintercomproducts,arebasedonMIPSandARMarchitectureandare,e.g.,notaffectedbyx64or
x86architecture-basedvulnerabilities.
Commonreportterms
•"OpenSSLrsaz_512_sqroverowbugonx86_64(CVE-2019-1551)..."
•"x64_64Montgomerysquaringprocedure..."
UART/Serialconsole
Background
PhysicalinspectionofthehardwareofanAxisdevicemayhighlighttheexistenceofaUART(UniversalAsynchronousReceiver
Transmitter)orserialconsole.Axisreferstothisasadebugport.Thedebugportisonlyusedfordevelopmentanddebugging
purposesduringengineeringprojects.Whilenosensitiveinformationisexposedwhilebeingunauthenticated,theaccesstothe
debugportispasswordrestrictedandonlytherootusermaylogin.FromAXISOS10.11andonwards,theUART/serialconsoleis
disabledbydefaultandcanonlybeenabledafterunlockingitviaadevice-uniquecustomrmwarecerticate.Thisisprovidedby
Axisonlyandcannotbegeneratedinanyotherway.
Commonreportterms
•"InformationDisclosureviaUART/SerialConsole..."
•"RootShellviaUART/SerialConsole..."
•"OnthePCB,theheadersexposedaUARTconsole..."
12
Ver.M3.2
AXISOSVulnerabilityScannerGuideDate:August2022
©AxisCommunicationsAB,2022PartNo.
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
Axis OS Vulnerability Scanner is a powerful tool that enables you to assess the security posture of your Axis devices and identify potential vulnerabilities. With its advanced scanning capabilities, it provides comprehensive insights into the security risks associated with outdated software components, Apache web server configurations, and OpenSSL vulnerabilities, allowing you to take proactive measures to mitigate these risks and enhance the overall security of your network.
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
Other documents
-
Cisco Secure Firewall Management Center Configuration Guide
-
Cisco FirePOWER 8000 Series Appliances Configuration Guide
-
Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual
-
Novell Sentinel 5.1.3 User guide
-
-
-
Dell 4.xx Series Reference guide
-
-
Fortinet 5.0 Patch 6 User manual
-
Cisco Unified Contact Center Enterprise 12.5(1) User guide