MOBOTIX HUB Management Server - possible Remote Code Execution by an authenticated user

MOBOTIX HUB Management Server - possible Remote Code Execution by an authenticated user.

Publication Date: 09.05.2023

SUMMARY
MOBOTIX has released a software update for MOBOTIX HUB VMS, which fixes a security vulnerability with a possible Remote Code Execution by an authenticated user on the Management Server service.

AFFECTED PRODUCTS AND SOLUTIONS

  • MOBOTIX HUB Management Server 2023 R1
  • MOBOTIX HUB Management Server 2022 R3
  • MOBOTIX HUB Management Server 2022 R2
  • MOBOTIX HUB Management Server 2022 R1
  • MOBOTIX HUB Management Server 2021 R2
  • MOBOTIX HUB Management Server 2021 R1
  • MOBOTIX HUB Management Server 2020 R3
  • MOBOTIX HUB Management Server 2020 R2

WORKAROUNDS AND MITIGATIONS
There are currently no known workarounds. Please update your system with the latest MOBOTIX HUB Security Patch 2023R1!
https://www.mobotix.com/en/node/18659

Check the Release Notes for more infos:
https://www.mobotix.com/sites/default/files/2023-05/Release_Note_MOBOTIX_HUB_Software_0.html

GENERAL SECURITY RECOMMENDATIONS
As a general security measure MOBOTIX strongly recommends protecting network access to affected
products with appropriate mechanisms. It is advised to follow the security practices recommended in the MOBOTIX Hardening Guide to run the devices in a protected IT environment.
Please check our latest Version of Cyber Security & Data Protection:

PRODUCT DESCRIPTION
The management server is the central component of the VMS system. It stores the configuration of the
surveillance system in an SQL database, either on a SQL Server on the management server computer
itself or on a separate SQL Server on the network. It also handles user authentication, user permissions,
the rule system and more. To improve system performance, you can run several management servers as
a MOBOTIX HUB Federated Architecture. The management server runs as a service and is typically installed
on a dedicated server.
Users connect to the management server for initial authentication, then transparently to the recording
servers for access to video recordings, etc.

VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS
v3.1) (https://www.first.org/cvss). The CVSS environmental score is specific to the customer’s environment
and will impact the overall CVSS score. The environmental score should therefore be individually defined
by the customer to accomplish final scoring.
At the time of advisory publication, no public exploitation of this security vulnerability was known.
MOBOTIX confirms the security vulnerability and provides mitigations to resolve the security issue.
CVSS v3.1 Base Score 9.9
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

ADDITIONAL INFORMATION
For further inquiries on security vulnerabilities in MOBOTIX Systems products, please contact MOBOTIX Support!