1. Introduction
The ONVIF Stream URI vulnerability allows unauthenticated users to retrieve video stream URIs from affected devices. This exposes video feeds, potentially allowing unauthorised viewing and monitoring of sensitive areas. Systems commonly affected are IP cameras, network video recorders (NVRs), and other devices supporting the ONVIF standard. A successful exploit could lead to confidentiality loss through access to live or recorded video streams.
2. Technical Explanation
The vulnerability occurs because some ONVIF-compliant devices do not require authentication to retrieve stream URIs. Attackers can send simple GetProfiles and GetStreamUri requests to the device, receiving a response containing the URI needed to access the video feed directly. No specific CVE is currently associated with this general issue, but it represents a configuration weakness (CWE-306: Insufficiently Protected Resources). An attacker could use tools like `curl` or dedicated ONVIF clients to enumerate stream URIs and then view the video streams using standard media players.
- Root cause: Missing authentication checks on ONVIF requests for stream URI retrieval.
- Exploit mechanism: An attacker sends GetProfiles and GetStreamUri ONVIF requests to a device without providing credentials, receiving the stream URIs in response. For example, using `curl http://
/onvif/service`. - Scope: IP cameras and NVRs implementing the ONVIF standard are affected. Specific versions depend on manufacturer implementation; older firmware is more likely to be vulnerable.
3. Detection and Assessment
Confirming vulnerability involves checking if stream URIs can be retrieved without authentication. A quick check is to attempt access via a web browser, while thorough assessment uses ONVIF-specific tools.
- Quick checks: Attempt to access the ONVIF service URL in a web browser (e.g., `http://
/onvif/service`). If XML data containing stream URIs is returned without prompting for credentials, the device is likely vulnerable. - Scanning: Nessus plugin ID 16849 can identify this vulnerability. Other vulnerability scanners may have similar checks.
- Logs and evidence: Examine device logs for ONVIF requests originating from unknown sources. Look for successful GetProfiles or GetStreamUri calls without corresponding authentication events.
curl http:///onvif/service 4. Solution / Remediation Steps
Fixing this issue requires either enabling authentication on the ONVIF service, restricting access via IP filtering, or disabling ONVIF if it is not needed.
4.1 Preparation
- Ensure you have administrator credentials for the device. A roll back plan involves restoring the original configuration from backup.
- A change window may be needed if disabling ONVIF impacts connected systems. Approval from the system owner is recommended.
4.2 Implementation
- Step 1: Log in to the device’s web interface as an administrator.
- Step 2: Navigate to the ONVIF settings section (location varies by manufacturer).
- Step 3: Enable authentication for ONVIF requests, if available. Configure strong usernames and passwords.
- Step 4: If authentication is not possible or desired, restrict access to the ONVIF port (typically TCP 80) using firewall rules to only trusted IP addresses.
- Step 5: If ONVIF is not required, disable it completely within the device’s settings.
4.3 Config or Code Example
Before
<streamURI>/onvif/service</streamURI>After
<streamURI>/onvif/service?username=admin&password=securepassword</streamURI>4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this issue.
- Practice 1: Least privilege – limit access to sensitive services like ONVIF to only necessary users and systems, reducing the impact if exploited.
- Practice 2: Secure defaults – ensure devices are configured with strong default credentials or require a password change during initial setup.
4.5 Automation (Optional)
No suitable automation script is provided due to device-specific configurations.
5. Verification / Validation
- Post-fix check: Attempt `curl http://
/onvif/service` again. The request should now return an error (e.g., 401 Unauthorized) or prompt for credentials. - Re-test: Re-run the Nessus scan to confirm the vulnerability is no longer detected.
- Smoke test: Verify that video streaming still functions correctly with valid authentication credentials.
curl http:///onvif/service - should return 401 Unauthorized 6. Preventive Measures and Monitoring
Updating security baselines and implementing a regular patch process are key preventive measures.
- Baselines: Update your device security baseline to include requirements for ONVIF authentication or IP filtering.
- Asset and patch process: Implement a regular review cycle (e.g., monthly) to check for firmware updates and apply security patches promptly.
7. Risks, Side Effects, and Roll Back
Enabling authentication may require updating client configurations. Disabling ONVIF could impact integrated systems.
- Risk or side effect 1: Enabling authentication may break compatibility with older clients that do not support it.
- Risk or side effect 2: Disabling ONVIF will prevent any connected systems from accessing video streams through the ONVIF protocol.
- Roll back: Restore the original device configuration from backup if changes cause issues. Re-enable ONVIF and revert firewall rules if necessary.
8. References and Resources
Links to official resources related to this vulnerability.
- Vendor advisory or bulletin: Check your device manufacturer’s website for specific security advisories.
- NVD or CVE entry: No specific CVE is associated with this general issue, but search NVD for ONVIF vulnerabilities.
- Product or platform documentation relevant to the fix: Refer to your device’s user manual for instructions on configuring ONVIF authentication and access control.