JVN#35062083: Multiple I-O DATA Recording Hard disk products vulnerable to cross-site request forgery

Overview

Multiple Recording Hard disk products provided by I-O DATA DEVICE, INC. contain a cross-site request forgery vulnerability.

Products Affected

HVL-A2.0 firmware versions prior to 2.04
HVL-A3.0 firmware versions prior to 2.04
HVL-A4.0 firmware versions prior to 2.04
HVL-AT1.0S firmware versions prior to 2.04
HVL-AT2.0 firmware versions prior to 2.04
HVL-AT3.0 firmware versions prior to 2.04
HVL-AT4.0 firmware versions prior to 2.04
HVL-AT2.0A firmware versions prior to 2.04
HVL-AT3.0A firmware versions prior to 2.04
HVL-AT4.0A firmware versions prior to 2.04

Description

Multiple Recording Hard disk products provided by I-O DATA DEVICE, INC. contain a cross-site request forgery vulnerability due to an issue in the web management screen.

Impact

If a user views a malicious page, an arbitrary content may be deleted.

Solution

Update the Firmware
Apply the appropriate firmware update provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
I-O DATA DEVICE, INC.	Vulnerable	2016/08/08	I-O DATA DEVICE, INC. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Score: 4.3

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N