I don't know if that update included the fix or not. The "cameras" account was still on my system after updating. I had already marked it "LAN-only", yesterday, and it remained that way after the update this morning.
User 'Cameras' with no password: do you have one?
- Thread starter technet
- Start date
technet
Getting the hang of it
- Joined
- Dec 25, 2014
- Messages
- 136
- Reaction score
- 17
Seems to be fixed on Version 4.1.7.1 (September 17, 2015).
On my tests you'll have to manually delete cameras user. It's a good practice to check if there are other users without a password, for instance the automatically created admin to track alerts on a per-user, per-camera basis which was implemented on 4.1.6.
On my tests you'll have to manually delete cameras user. It's a good practice to check if there are other users without a password, for instance the automatically created admin to track alerts on a per-user, per-camera basis which was implemented on 4.1.6.
4.1.7.1 didn't fix the account that was added by 4.1.7.0.
I confirmed that running 4.1.7.0, and without modifying the cameras account that was added by 4.1.7.0, I was able to log into BI remotely using the username cameras and no password. I then applied the 4.1.7.1 update and tried it again. I was still able to log in with no password. I went in and edited the cameras user to be LAN only, and can no longer log in remotely with that user.
More info...
I have a second BI server, this one running 4.1.4.0, and also running BI as a service. I just applied the 4.1.7.1 update, and on this server only the admin account was added.
My recommendation would be that everyone check to see if they have a cameras user, and if so, secure or remove that account. I'll also be checking the list of users before and after any future updates.
I have a second BI server, this one running 4.1.4.0, and also running BI as a service. I just applied the 4.1.7.1 update, and on this server only the admin account was added.
My recommendation would be that everyone check to see if they have a cameras user, and if so, secure or remove that account. I'll also be checking the list of users before and after any future updates.
I did. 4.1.7.1 may not add a cameras account, but it also does not appear to modify or remove a cameras account that was added by 4.1.7.0. If you have one of those accounts, I would advise that you remove it.
Indeed, BI needs to start automatically removing the no-password cameras account. If BI leaves it in, then it becomes a serious problem because most users will never know it existed.
Panic is good, real good, to fix problem. But you (Fenderman) gotta learn to call a spade a spade. That's a problem. Why cause you carry clout, don't loose it.
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,901
- Reaction score
- 21,269
I didnt say it was not a problem. It was. Its simply not as big a deal as you are making it out to be. There have been MUCH worse vulnerabilities in ip cameras/nvr's or other cloud devices that were not patched for months. This also affected only a small subset of users who run as a service and who recently updated their installation. I doubt there was even a single compromised machine. Panic is never good. Today's patch resolves the problem.
Finally, the issue was totally preventable using a vpn.