Security Updates and Advisories
Committed to Security & Reliability
March Networks is committed to ensuring the security and reliability of all of our products. We strive to proactively address security threats as they are reported by the US Computer Emergency Readiness Team (US-CERT). When we learn of potential vulnerabilities, our team conducts immediate, in-depth investigations across our product lines. If appropriate and required, we take immediate action to prepare software/firmware updates, and to alert you to the availability of these updates.
Reporting Security Vulnerabilities to March Networks
If you believe you have identified a security vulnerability in a March Networks product, please contact us immediately at securityalert@marchnetworks.com.
We value the work of independent security researchers who identify vulnerabilities and follow responsible disclosure practices.
Security Advisories
Previous security updates impacting March Networks products are listed below, along with the corresponding software versions in which the vulnerability was addressed. Software updates are posted on our Partner Portal, and can also be found on our Software Downloads page.
If you don’t have access to our partner portal, contact your March Networks certified solution provider for assistance.
| CVE(s) | Advisory Summary | Products or Components | Addressed in Release | Severity |
|---|---|---|---|---|
| CVE-2024-6387 | A Remote Unauthenticated Code Execution (RCE) vulnerability in the OpenSSH server running on Linux-based systems was discovered and verified on a 32-bit Intel-based CPU. | 8000 NVRs, 9000 NVRs, RideSafe GT/MT/RT NVRs | Patch 42339 R1.0 for 5.26.0.0047 (GA) and 5.27.0.0049 (GA) | High |
| CVE-2022-40735, CVE-2002-20001, CVE-2023-48795, CVE-2023-46445, CVE-2023-46446 | Recently, NIST updated the vulnerabilities CVE-2022-40735 and CVE-2002-20001 to link to an IEEE paper presenting a practical Denial-of-Service attack on the finite field Diffie–Hellman key exchange. The attack is known as DHEat and is rated as a high vulnerability. The SSH service present in R5 recorders allows the use of a Diffie–Hellman key exchange, so there is a risk of a Denial-of-Service attack. We are releasing a patch that correct this, removing Diffie–Hellman key exchange. This patch also corrects CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446, a medium-rated SSH vulnerability known as Terrapin. | 8000 NVRs, 9000 NVRs, RideSafe GT/MT/RT NVRs | 5.27.0.0049 (GA) Patch 42114 R1.0 for 5.25.0.0127 (GA) and 5.26.0.0047 (GA) | High |
| See the impact section in the advisory | Azul Zulu OpenJDK vulnerabilities on untrusted code and network API. Some security scanners, executed run directly in the server hosting Command Enterprise, detect the Azul version from its configuration files, and list all the potential CVE disclosed in Azul release notes, without checking if the related components are installed or used. | Command Enterprise | No Impact to March Networks products | N/A |
| CVE-2004-0230 | Denial of service based on TCP Sequence Number Approximation. Some security scanners, executed run directly in the server hosting Command Enterprise, detect the Azul version from its configuration files, and list all the potential CVE disclosed in Azul release notes, without checking if the related components are installed, or how they are used. | See the impact section in the advisory | No Impact to March Networks products | N/A |
| CVE-2023-4863 | libwebp code injection execution in clients running Command Client | Command Client | Command Client 2.18.0 and higher, 2.17.2 and 2.16.3 | Critical |
| CVE-2020-15778, CVE-2018-15473, CVE-2021-28041, CVE-2021-41617, CVE-2020-14145 | OpenSSH update to avoid multiple medium security vulnerabilities. | 8000, 9000 and RideSafe GT/MT/RT series | Patch available for 5.24.0.0067 (GA) and 5.24.0.1001 (SP1) | Medium |
| N/A | Some security scanners show that the HTTP OPTIONS/DELETE methods are enabled, flagging a potential vulnerability without any further check, triggering a false alarm over Command Enterprise. | Command Enterprise | No Impact to March Networks products | N/A |
| N/A | March Networks 8000, 9000 and RideSafe Series recorders (R5) allow cameras and encoders to request authentication using weak protocols (NTLMv2 and basic authentication). | 8000, 9000 and RideSafe Series recorders | Visual Intelligence Software Suite 5.24.0.0067 | High |
| N/A | An authorized Command Enterprise user could forge a control message over the Command API to modify resource visibility outside of approved access. | Command Enterprise | 2.16.0 | High |
| CVE-2022-3786, CVE-2022-3602 | X.509 certificates email address overflows in OpenSSL 3.0.0-3.06. Our products don't use any version of OpenSSL affected by this issue. | All | No Impact to March Networks products | N/A |
| CVE-2022-22965 | An attacker may inject remote code execution by exploiting Spring application running on JDK 9 or greater. | No Impact to March Networks products | N/A | |
| CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 | An attacker may inject remote code execution by exploiting Log4j 1.2 components and functions not enabled or used by default: serialization in JMSSink, SQL injections in JDBCAppender, and Apache Chainsaw to view logs with a dedicated GUI-based log viewer. Command Enterprise versions up to 2.14 use Apache Log4j 1.x without enabling any of the above components and functions. An attacker will need privileged access to Command Enterprise to enable them, so it is not affected by the exploits. To completely avoid any confusion around these vulnerabilities, and for better future maintenance, in Command Enterprise 2.14.1, we replaced Log4j with Reload4j, a modern alternative to it. | Command Enterprise 2.14.1 | Low | |
| CVE-2021-45105 | An attacker may cause a denial of service when a crafted string is interpreted due to uncontrolled recursion from self-referential look-ups. Command Enterprise uses Apache Log4j 1.x, which is not affected by this vulnerability. | No Impact to March Networks products | N/A | |
| CVE-2021-4104 | An attacker may exploit Log4j 1.2 configuration, not enabled by default, for a function called JMSAppender. This function may lead to perform JNDI requests, resulting in remote code execution in a similar fashion to CVE-2021-44228. Command Enterprise uses Apache Log4j 1.x, without enabling JMSAppender. An attacker will already need privileged access to Command Enterprise to exploit it leveraging on this vulnerability. | Command Enterprise 2.14.1 | Low | |
| N/A | Authentication credentials are printed in clear in the device logs, after their first provisioning. The device serial number can be changed by pushing the configuration with Command Enterprise mass management or using a reserved API. | VA Series 1.1.1 ME6 Series 1.1.4 SE2 ATM Camera 1.1.1 SE2 Fleet Wedge Camera 1.1.1 SE2 Fleet Dash Camera 1.1.1 SE2 Flush and Pendant PTZs 30X 1.0.9 ME3 Pendant IR PTZ 40X 1.0.9 SE4 IR DuraBullet 1.0.10 | VA Series 1.1.2 ME6 Series 1.1.5 SE2 ATM Camera 1.1.2 SE2 Fleet Wedge Camera 1.1.2 SE2 Fleet Dash Camera 1.1.2 SE2 Flush and Pendant PTZs 30X 1.0.10 ME3 Pendant IR PTZ 40X 1.0.10 SE4 IR DuraBullet 1.0.11 | High |
| CVE-2021-44228 | An attacker may execute arbitrary code by injecting attacker-controlled data into a message logged with the Apache Log4j2 library versions between 2.0.0 and 2.14.1. Command Enterprise uses Apache Log4j 1.x, which is not affected by this vulnerability. | No Impact to March Networks products | N/A | |
| N/A | Some versions of Admin Console allow basic authentications over HTTP connections towards Command Enterprise | Admin Console version 5.17, 5.19, 5.20 (including all service packs prior to versions with the fix) | 5.17 SP3, 5.19 SP3, 5.20 SP2. Versions below 5.17 and above 5.20 are not affected | High |
| N/A | Vulnerability in Xiaongmai-based devices | No Impact to March Networks products | N/A | |
| CVE-2019-9163 | XAML code injection execution in clients running Command Client | Command Client | Command Client 2.7.2 | Critical |
| CVE-2019-2422 | Vulnerability in the Java SE component of Oracle Java SE | No Impact to March Networks products | N/A | |
| CVE-2019-2426 | Vulnerability in the Java SE component of Oracle Java SE | No Impact to March Networks products | N/A | |
| CVE-2019-2449 | Vulnerability in the Java SE component of Oracle Java SE | No Impact to March Networks products | N/A | |
| CVE-2019-11219 | iLnkP2p | No Impact to March Networks products | N/A | |
| CVE-2019-11220 | iLnkP2p | No Impact to March Networks products | N/A | |
| CVE-2018-1149 | cgi_system in NUUO's NVRMini2 3.8.0 | No Impact to March Networks products | N/A | |
| CVE-2018-1150 | NUUO's NVRMini2 3.8.0 | No Impact to March Networks products | N/A | |
| CVE-2018-10933 | Libssh Authentication Bypass | No Impact to March Networks products | N/A | |
| CVE-2018-11212 | Vulnerability in the Java SE component of Oracle Java SE | No Impact to March Networks products | N/A | |
| CVE-2017-5754 | Rogue data cache load (Meltdown) | Edge OS 2.x Devices; 6000, 8000, 9000, GT, MT Series Recorders & ME4 Series | Not necessary at this time | Low |
| CVE-2017-5754 | Rogue data cache load (Meltdown) | All of our software that can be installed on a Windows OS | Microsoft Security Patches only | Medium |
| CVE-2017-5753 | Bounds check bypass | Edge OS 2.x Devices; 6000, 8000, 9000, GT, MT Series Recorders; Edge 4 & Edge 16 Encoders; ME4 Series | Not necessary at this time | Low |
| CVE-2017-5753 | Bounds check bypass | All of our software that can be installed on a Windows OS | Microsoft Security Patches only | Medium |
| CVE-2017-5715 | Branch target injection (Spectre) | Edge OS 2.x Devices; 6000, 8000, 9000, GT, MT Series Recorders; ME4 Series | Not necessary at this time | Low |
| CVE-2017-5715 | Branch target injection (Spectre) | All of our software that can be installed on a Windows OS | Microsoft Security Patches only | Medium |
| CVE-2017-9765 | gSOAP | Various Edge OS 1.x and 2.x Devices | Refer to chart | Medium |
| CVE-2017-5638 | Apache Struts Jakarta Multipart Parser | No Impact to March Networks products | N/A | |
| CVE-2016-0800 | Cross-protocol attack on TLS using SSLv2 (DROWN) | All | No Impact to March Networks products | N/A |
| CVE-2015-1798 CVE-2015-1799 | NTP MiM/DOS attacks | Visual Intelligence (R5) 8000 4000 (Gen 4) | 5.7.10 | Medium |
| N/A | SSL Certificate Chain Contains RSA Keys Less Than 2048 bits | Visual Intelligence (R5) 8000 4000 (Gen 4) | 5.7.10 | Medium |
| CVE-2015-2808 | SSL RC4 Cipher Suites Supported | Visual Intelligence (R5) 8000 4000 (Gen 4) | 5.7.10 | Medium |
| N/A | Linux/Moose | No Impact to March Networks products | Medium | |
| CVE-2015-4000 | Logjam Attack | No Impact to March Networks products | Medium | |
| CVE-2015-0247 | e2fsprogs | Visual Intelligence (R5) 8000 4000 (Gen 4) | 5.7.9 SP1 | Medium |
| CVE-2015-0235 | Ghost | Visual Intelligence (R5) 8000 4000 (Gen 4) | 5.7.9 SP1 | Medium |
| CVE-2015-0235 | Ghost | Visual Intelligence (R5) 3000 Series | 5.5.1 SP18 | Medium |
| CVE-2015-0293 and others | OpenSSL 0.9.8zf | Visual Intelligence (R5) 3000 Series | 5.5.1 SP18 | High |
| N/A | OpenSSL | Visual Intelligence (R5) 8000 4000 (Gen 4) | 5.7.9 | Low |
| N/A | NTP Utilities | Visual Intelligence (R5) 8000 4000 (Gen 4) | 5.7.9 | Low |
| N/A | Open SSH | Visual Intelligence (R5) 8000 4000 (Gen 4) | 5.7.9 | Low |
| CVE-2015-0204 | FREAK SSL/TLS Vulnerability | All | No Impact to March Networks products | N/A |