MOBOTIX HUB Event Server - possible Remote Code Execution by an authenticated user

Mx-JoergS · May 9, 2023, 5:35am

MOBOTIX HUB Event Server - possible Remote Code Execution by an authenticated user

Publication Date: 09.05.2023

SUMMARY
MOBOTIX has released a software update for MOBOTIX HUB VMS, which fixes a security vulnerability with a
possible Remote Code Execution by an authenticated user on the Event Server service.

AFFECTED PRODUCTS AND SOLUTIONS

MOBOTIX HUB Event Server 2023 R1
MOBOTIX HUB Event Server 2022 R3
MOBOTIX HUB Event Server 2022 R2
MOBOTIX HUB Event Server 2022 R1
MOBOTIX HUB Event Server 2021 R2
MOBOTIX HUB Event Server 2021 R1
MOBOTIX HUB Event Server 2020 R3
MOBOTIX HUB Event Server 2020 R2

WORKAROUNDS AND MITIGATIONS
There are currently no known workarounds. Please update your system with the latest MOBOTIX HUB Security Patch 2023R1!
https://www.mobotix.com/en/node/18659

Check the Release Notes for more infos:
https://www.mobotix.com/sites/default/files/2023-05/Release_Note_MOBOTIX_HUB_Software_0.html

GENERAL SECURITY RECOMMENDATIONS
As a general security measure MOBOTIX strongly recommends protecting network access to affected
products with appropriate mechanisms. It is advised to follow the security practices recommended in the
MOBOTIX Hardening Guide to run the devices in a protected IT environment.
Please check our latest Version of Cyber Security & Data Protection:

PRODUCT DESCRIPTION
The event server handles various tasks related to events, alarms, and maps and perhaps also third-party
integrations via the MIP SDK.

VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS
v3.1) (https://www.first.org/cvss). The CVSS environmental score is specific to the customer’s environment
and will impact the overall CVSS score. The environmental score should therefore be individually defined
by the customer to accomplish final scoring.
At the time of advisory publication, no public exploitation of this security vulnerability was known.
MOBOTIX confirms the security vulnerability and provides mitigations to resolve the security issue.
CVSS v3.1 Base Score 9.9
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

ADDITIONAL INFORMATION
For further inquiries on security vulnerabilities in MOBOTIX Systems products, please contact MOBOTIX Support.

Topic	Replies	Views
MOBOTIX HUB Management Server - possible Remote Code Execution by an authenticated user MOBOTIX HUB - Security Updates and Patches	139	May 9, 2023
MOBOTIX HUB Event Server - mögliche Remote Code Ausführung durch einen authentifizierten Benutzer MOBOTIX HUB - Security Updates and Patches	128	May 9, 2023
MOBOTIX HUB Management Server - mögliche Remote Code Ausführung durch einen authentifizierten Benutzer MOBOTIX HUB - Security Updates and Patches	150	May 9, 2023
Cyber Security - All About MOBOTIX NAS	244	February 6, 2023
MOBOTIX HUB - 2022 R3 Release (DE) HUB - New Features mxhub , hub	257	November 7, 2022

MOBOTIX HUB Event Server - possible Remote Code Execution by an authenticated user

MOBOTIX HUB Event Server - possible Remote Code Execution by an authenticated user

Related Topics