Hi,
Please continue reading if you meet this criteria:
For example, if you have Non-LAN only authentication turned on, someone from the Internet can access your cameras/Blue Iris instance as if they were in your LAN.
I reported this security vulnerability to Ken/Support on 11/28/2016 and they promptly confirmed and fixed it on 12/11/2016.
It doesn't appear that Blue Iris Software widely reported this as a security update so I will let this serve as a public warning. I am not going to disclose the vulnerability at this point in order to give folks time to update.
The actual update that fixed this was earlier than 4.4.9.4 but I did a poor job of tracking the version. I hesitate to name an earlier minor version that had the fix as I don't have a way to quickly confirm it. The vulnerability does exist in the initial release of 4.4.9. I warn against updating to anything beyond .4 at this point as there are some other functionality issues with .5 and .6.
Please continue reading if you meet this criteria:
- Blue Iris version OLDER than 4.4.9.4
- Non-LAN only authentication
- Limit IP access
For example, if you have Non-LAN only authentication turned on, someone from the Internet can access your cameras/Blue Iris instance as if they were in your LAN.
I reported this security vulnerability to Ken/Support on 11/28/2016 and they promptly confirmed and fixed it on 12/11/2016.
It doesn't appear that Blue Iris Software widely reported this as a security update so I will let this serve as a public warning. I am not going to disclose the vulnerability at this point in order to give folks time to update.
The actual update that fixed this was earlier than 4.4.9.4 but I did a poor job of tracking the version. I hesitate to name an earlier minor version that had the fix as I don't have a way to quickly confirm it. The vulnerability does exist in the initial release of 4.4.9. I warn against updating to anything beyond .4 at this point as there are some other functionality issues with .5 and .6.
