1. Home
  2. Network Vulnerabilities
  3. How to remediate – ONVIF Get Device User List
Searching...

How to remediate – ONVIF Get Device User List

Contents

1. Introduction

The ONVIF Get Device User List vulnerability means a service is responding to requests for user lists via the ONVIF protocol. This allows an attacker to potentially enumerate valid usernames on affected devices, aiding further attacks like brute-forcing passwords. IP cameras and network video recorders are typically affected. A successful exploit could compromise confidentiality of account details.

2. Technical Explanation

  • Root cause: missing or insufficient authentication for the GetUsers request.
  • Exploit mechanism: An attacker sends a GetUsers SOAP message to the device’s ONVIF port (typically 80 or 443). The service responds with an XML list of usernames. For example, using a tool like SoapUI to send a GetUsers request to http://[target_ip]/onvif/service
  • Scope: Devices running ONVIF-compliant firmware are affected. Specific versions depend on the manufacturer and their implementation.

3. Detection and Assessment

You can confirm vulnerability by checking if a user list is returned from an unauthenticated request. A thorough method involves using a network scanner to identify ONVIF services and then testing for this behaviour.

  • Quick checks: Check the device’s web interface for ONVIF settings and whether authentication is required.
  • Scanning: Nessus plugin ID 10863 can detect this vulnerability. Other scanners may have similar plugins.
  • Logs and evidence: Look for SOAP requests to the /onvif endpoint in network device logs, particularly those containing GetUsers.
soapui -url http://[target_ip]/onvif/service -request "GetUsers"

4. Solution / Remediation Steps

The best way to fix this is to enable authentication for ONVIF or disable the service if it isn’t needed. These steps are small and can be rolled back easily.

4.1 Preparation

  • Dependencies: Ensure you have administrator access to the device’s web interface. Rollback involves reverting to the previous configuration snapshot.
  • A change window may be needed for production systems. Approval from a security team lead is recommended.

4.2 Implementation

  1. Step 1: Log into the device’s web interface as an administrator.
  2. Step 2: Navigate to the ONVIF settings section (location varies by manufacturer).
  3. Step 3: Enable authentication for ONVIF access, if available. This usually involves setting a username and password.
  4. Step 4: If authentication cannot be enabled, disable the ONVIF service entirely.
  5. Step 5: Save the changes and restart the device if prompted.

4.3 Config or Code Example

Before

// ONVIF Authentication: Disabled

After

// ONVIF Authentication: Enabled, Username: admin, Password: [secure_password]

4.4 Security Practices Relevant to This Vulnerability

Practices like least privilege and secure defaults directly address this issue.

  • Practice 1: Least privilege – limit access to ONVIF services only to authorised users or systems, reducing the impact if compromised.
  • Practice 2: Secure Defaults – Ensure that new devices are configured with strong authentication enabled by default.

4.5 Automation (Optional)

Automation is unlikely for this vulnerability due to varied device interfaces. However, configuration management tools can be used if the interface supports API access.

# Example using a hypothetical API call (replace with actual API commands):
# api_call("set_onvif_authentication", "enabled", "true")
# api_call("set_onvif_username", "admin")
# api_call("set_onvif_password", "[secure_password]")

5. Verification / Validation

Confirm the fix by attempting to retrieve the user list without authentication. A successful test will show an error or require credentials.

  • Post-fix check: Using SoapUI, attempt a GetUsers request again. The expected output should be an authentication error (e.g., 401 Unauthorized).
  • Re-test: Re-run the Nessus scan and confirm that the vulnerability is no longer reported.
  • Monitoring: Check logs for failed GetUsers requests, indicating attempted enumeration.
soapui -url http://[target_ip]/onvif/service -request "GetUsers" # Expect 401 Unauthorized

6. Preventive Measures and Monitoring

Regular security baselines and patch management are important for preventing this issue.

  • Baselines: Update your security baseline to include a requirement for ONVIF authentication or disabling unused services.
  • Pipelines: Consider adding checks in deployment pipelines to verify that default credentials have been changed on new devices.
  • Asset and patch process: Implement a regular review cycle (e.g., quarterly) to check device configurations against the security baseline.

7. Risks, Side Effects, and Roll Back

Enabling authentication may require updating client applications with new credentials. Disabling ONVIF will prevent any functionality that relies on it.

  • Risk or side effect 1: Enabling authentication might break compatibility with older clients not configured for authentication.
  • Risk or side effect 2: Disabling ONVIF may affect remote management features.
  • Roll back: Restore the previous configuration snapshot. If only authentication was enabled, disable it again in the web interface.

8. References and Resources

  • Vendor advisory or bulletin: Check your device manufacturer’s website for specific security advisories related to ONVIF.
  • NVD or CVE entry: No specific CVE currently exists, but search NVD for ONVIF vulnerabilities generally.
  • Product or platform documentation relevant to the fix: Refer to your device’s user manual for instructions on configuring ONVIF authentication.
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles