JVN#83701666: Multiple vulnerabilities in multiple I-O DATA network camera products

2018-08-07T00:00:00
ID JVN:83701666
Type jvn
Reporter Japan Vulnerability Notes
Modified 2018-08-07T00:00:00

Description

Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.

Permissions, Privileges, and Access Controls (CWE-264) - CVE-2018-0661

Version| Vector| Score
---|---|---
CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L| Base Score: 6.3
CVSS v2| AV:A/AC:L/Au:N/C:P/I:P/A:P| Base Score: 5.8

Insufficient Verification of Data Authenticity (CWE-345) - CVE-2018-0662

Version| Vector| Score
---|---|---
CVSS v3| CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L| Base Score: 4.3
CVSS v2| AV:L/AC:L/Au:N/C:P/I:P/A:P| Base Score: 4.6

Use of Hard-coded Credentials (CWE-798) - CVE-2018-0663

Version| Vector| Score
---|---|---
CVSS v3| CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L| Base Score: 4.7
CVSS v2| AV:N/AC:M/Au:S/C:P/I:P/A:P| Base Score: 6.0

## Impact

  • A remote attacker on the adjacent network may add files on a specific directory and execute arbitrary OS commands and codes - CVE-2018-0661
  • Information including credentials may be leaked and altered - CVE-2018-0661
  • An attacker who can access the affected product physically may add malicious files on the product and execute an arbitrary code - CVE-2018-0662
  • A remote attacker may execute an arbitrary OS command - CVE-2018-0663

## Solution

Update the Firmware
Apply the firmware update according to the information provided by the developer.

## Products Affected

  • TS-WRLP firmware Ver.1.09.04 and earlier
  • TS-WRLA firmware Ver.1.09.04 and earlier
  • TS-WRLP/E firmware Ver.1.09.04 and earlier