Axis Cameras and TRUFFLEHUNTER 2020-1018

Solved
m_lingenfelter
Here to help

Axis Cameras and TRUFFLEHUNTER 2020-1018

I have an issue where some older (EOL) AXIS Cameras trigger a TRUFFLEHUNTER TALOS 2020-1018 alert, for which there is no additional information available other than our MX detects some command and control activity.  Due to the nature of this device and the server that it is connecting to, I believe that this is expected.  Video Security server connecting to a camera.  However, identical cameras with identical firmware releases do not exhibit the same MX alert.

 

I am hesitant to whitelist this because of incomplete information and resetting the camera to factory default with firmware flashing does not resolve the issue.  Only camera replacement with another unit solves the alert issue.

 

Where this could eventually be an issue is when dozens of cameras that have gone EOL start exhibiting the same behavior.  As a school district, we push hardware life as far as possible, but the concerns of compromised IoT hardware have accelerated our replacement schedule. It is not like I have Huawei cameras hanging everywhere but replacing a camera exhibiting the issue with identical (model, vintage and firmware) resolves the issue.

 

Anyone with similar experiences?

1 Accepted Solution
D_Tak
Meraki Employee
Meraki Employee

With the IDS/IPS picking up the "TALOS 2020-1018"  it would mean that the device itself is utilizing the vulnerable protocol which in this alert ties to CVE-2020-6095.  I would be hesitant to say for certain that the issue is resolved by replacing the camera as the non-alerting camera may not be utilizing the affected service/port/protocol at the time. 

 

This could also be a false positive and I would recommend opening a case with Meraki Support to complete a deep dive on the specific alerting MX appliance that has the alerts. If this is a constant IDS alert that is being seen you can provide Meraki support with LAN/WAN captures from the MX appliance filtered out for the specific MAC of the camera so that we can see what may be going on. 

View solution in original post

2 Replies 2
D_Tak
Meraki Employee
Meraki Employee

With the IDS/IPS picking up the "TALOS 2020-1018"  it would mean that the device itself is utilizing the vulnerable protocol which in this alert ties to CVE-2020-6095.  I would be hesitant to say for certain that the issue is resolved by replacing the camera as the non-alerting camera may not be utilizing the affected service/port/protocol at the time. 

 

This could also be a false positive and I would recommend opening a case with Meraki Support to complete a deep dive on the specific alerting MX appliance that has the alerts. If this is a constant IDS alert that is being seen you can provide Meraki support with LAN/WAN captures from the MX appliance filtered out for the specific MAC of the camera so that we can see what may be going on. 

BHC_RESORTS
Head in the Cloud

We have non EOL Axis cameras and don't have this issue. I'd recommend upgrading the cameras, I understand budgets but having EOL gear in your stack is never good and can even invalidate your insurance.

BHC Resorts IT Department
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels