Japan Vulnerability NotesJVN:42070907JVN#42070907: Multiple SONY Videoconference Systems do not properly perform authentication
5.8 Medium
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
27.3%
Multiple SONY Videoconference Systems have a default user account which does not require authentication to login to a device (CWE-306).
This user account has a privilege to view some of the system configuration files. As a result, the device may be manipulated by an attacker with administrative privileges.
telnet/ssl functionality is implemented based on the specifications in the device, and it is disabled by default. When this functionality is enabled, a user in the same subnetwork can login to the device.
Impact
The device may be logged in by the other user in the same subnetwork. As a result, the device may be manipulated by the user with administrative privileges.
Solution
Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.
Products Affected
- PCS-XG100
- PCS-XG100S
- PCS-XG77
- PCS-XG77S
- PCS-XC1
For more information, refer to the information provided by the developer.
Related
5.8 Medium
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
27.3%