Milestone Open Network Bridge (ONVIF)

April 01, 2021
New installer for increased security is now available.
A new installer for Milestone’s Open Network Bridge (ONVIF) is now available for download. The new installer adds another layer of security to ONVIF communication. ONVIF specification requires digest authentication as the authentication mechanism between ONVIF clients and the ONVIF server. To do that, the ONVIF server must access the encrypted user credentials. In the new installer we redesigned the way these credentials are stored, to ensure that users cannot access them back via the MIP SDK and use reverse-engineering to decrypt the information. 
Milestone advises all Open Network Bridge users to use the new installer
At this time, no public exploitation of this security vulnerability is known. This recommendation is based on Milestone’s ongoing product security tests. Since this potential vulnerability is not product specific, we highly recommend all Milestone Open Network Bridge users to disable the service and reinstall it using the new installer. Using the new installer adds another level of security to ONVIF communication and resolves the issue completely for all supported XProtect products and versions.

DOWNLOAD THE INSTALLER FOR FREE
What is Milestone Open Network Bridge (ONVIF)
Milestone Open Network Bridge is an open ONVIF compliant interface for standardized and secure video sharing from XProtect VMS systems to other IP-based security systems. This enables law enforcement, surveillance centers, or similar organizations (referred to as ONVIF clients) to access live and recorded H.264 video streams from your XProtect VMS system to their central monitoring solutions. The video streams are sent as RTSP streams over the Internet.
General security measures
Milestone strongly recommends protecting network access to affected products with appropriate mechanisms. It is advised to follow recommendations in the Milestone Hardening Guide security practices to run the devices in a protected IT environment.
Got more question?
For further inquiries on security vulnerabilities in Milestone System’s products, please contact Milestone’s PSIRT team at: cybersecurity@milestonesys.com