JVN#83701666: Multiple vulnerabilities in multiple I-O DATA network camera products

2018-08-07T00:00:00
ID JVN:83701666
Type jvn
Reporter Japan Vulnerability Notes
Modified 2018-08-07T00:00:00

Description

## Description

Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.

  • Permissions, Privileges, and Access Controls (CWE-264) - CVE-2018-0661 CVSS v3 | CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | Base Score: 6.3
    ---|---|---
    CVSS v2 | AV:A/AC:L/Au:N/C:P/I:P/A:P | Base Score: 5.8
  • Insufficient Verification of Data Authenticity (CWE-345) - CVE-2018-0662 CVSS v3 | CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | Base Score: 4.3
    ---|---|---
    CVSS v2 | AV:L/AC:L/Au:N/C:P/I:P/A:P | Base Score: 4.6
  • Use of Hard-coded Credentials (CWE-798) - CVE-2018-0663 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L | Base Score: 4.7
    ---|---|---
    CVSS v2 | AV:N/AC:M/Au:S/C:P/I:P/A:P | Base Score: 6.0

## Impact

  • A remote attacker on the adjacent network may add files on a specific directory and execute arbitrary OS commands and codes - CVE-2018-0661
  • Information including credentials may be leaked and altered - CVE-2018-0661
  • An attacker who can access the affected product physically may add malicious files on the product and execute an arbitrary code - CVE-2018-0662
  • A remote attacker may execute an arbitrary OS command - CVE-2018-0663

## Solution

Update the Firmware
Apply the firmware update according to the information provided by the developer.

## Products Affected

  • TS-WRLP firmware Ver.1.09.04 and earlier
  • TS-WRLA firmware Ver.1.09.04 and earlier
  • TS-WRLP/E firmware Ver.1.09.04 and earlier