1. Home
  2. Network Vulnerabilities
  3. How to remediate – ONVIF Device Information
Searching...

How to remediate – ONVIF Device Information

Contents

1. Introduction

The ONVIF Device Information vulnerability means a remote service is responding to requests for device details using the ONVIF protocol. This allows information about network cameras and other devices to be gathered without authentication, potentially aiding reconnaissance by attackers. Systems commonly affected are IP cameras, Network Video Recorders (NVRs), and related video surveillance equipment. A successful information gather could lead to further attacks on these systems, impacting confidentiality of device configuration, integrity through potential manipulation, and availability via denial-of-service.

2. Technical Explanation

The vulnerability occurs because the ONVIF service doesn’t require authentication for the GetDeviceInformation request. This allows anyone on the network to query the device for details like manufacturer, model, firmware version and serial number. An attacker could use this information to identify vulnerable devices and target them with specific exploits. There is no known CVE associated with this general information disclosure, but it’s a common configuration issue.

  • Root cause: Missing or weak authentication for the ONVIF GetDeviceInformation request.
  • Exploit mechanism: An attacker sends a standard SOAP request to the device’s ONVIF port (typically 80 or 443) and receives a response containing device information. For example, using a tool like SoapUI or even `curl` with an appropriate XML payload.
  • Scope: IP cameras, NVRs, video management systems (VMS) that implement the ONVIF standard. Affected versions depend on the specific vendor implementation; many older devices are vulnerable by default.

3. Detection and Assessment

Confirming vulnerability involves checking if the device responds to an ONVIF request. A thorough method is a network scan specifically looking for ONVIF services.

  • Quick checks: Use `curl` to send a basic GetDeviceInformation request to the device’s IP address and port 80 or 443. If you receive an XML response, the service is likely vulnerable.
  • Scanning: Nessus plugin ID 10392 can detect this issue. OpenVAS also has relevant checks under the ONVIF category. These are examples only as scanner coverage varies.
  • Logs and evidence: Check device logs for successful responses to GetDeviceInformation requests from unknown sources. Log locations vary by vendor.
curl -k -u 'admin:' http://<device_ip>:80/onvif/service

4. Solution / Remediation Steps

Fixing this issue involves either enabling authentication or disabling the ONVIF service if it isn’t needed.

4.1 Preparation

  • Ensure you have administrator credentials for the device. Roll back involves restoring the original configuration or re-enabling ONVIF.
  • Changes should be made during scheduled maintenance windows with appropriate approval from IT security.

4.2 Implementation

  1. Step 1: Log in to the device’s web interface as an administrator.
  2. Step 2: Navigate to the ONVIF settings section (location varies by vendor).
  3. Step 3: Enable authentication for ONVIF access, setting a strong username and password.
  4. Step 4: If ONVIF isn’t required, disable it completely within the device’s configuration menu.
  5. Step 5: Save the changes and reboot the device if prompted.

4.3 Config or Code Example

Before

<onvif >
  <GetDeviceInformation/>

After

<onvif >
  <Username>admin
  <Password>your_strong_password
  <GetDeviceInformation/>

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

  • Practice 1: Least privilege – limit access to ONVIF settings to only authorised personnel.

4.5 Automation (Optional)

# Example PowerShell script to check ONVIF authentication status (requires vendor-specific API access)
# This is a placeholder - adapt for your specific device management system
# $deviceIP = "192.168.1.10"
# $apiEndpoint = "http://<your_api_endpoint>"
# $response = Invoke-RestMethod -Uri "$apiEndpoint/onvif/authstatus?ip=$deviceIP"
# if ($response.AuthenticationEnabled -eq $false) {
#   Write-Host "ONVIF authentication is disabled on $deviceIP. Consider enabling it."
# }

5. Verification / Validation

Confirm the fix by checking that authentication is now required for ONVIF requests.

  • Re-test: Re-run the Nessus scan; it should no longer report the vulnerability.
  • Monitoring: Check device logs for failed authentication attempts from unknown sources, indicating potential reconnaissance activity.
curl -k -u 'admin:' http://<device_ip>:80/onvif/service

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

  • Baselines: Update security baselines for IP cameras to include mandatory authentication for ONVIF services.
  • Pipelines: Include checks in deployment pipelines to verify default credentials haven’t been used and that authentication is enabled on new devices.
  • Asset and patch process: Implement a regular review cycle for device firmware updates, as vendors often address these vulnerabilities in newer versions.

7. Risks, Side Effects, and Roll Back

  • Roll back: 1) Log in to the device’s web interface as an administrator. 2) Re-enable authentication if it was disabled and correct any incorrect settings. 3) Re-enable ONVIF if it was disabled. 4) Save changes and reboot the device if prompted.

8. References and Resources

Link only to sources that match this exact vulnerability. Use official advisories and trusted

Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles