Published:2017/05/16  Last Updated:2017/05/16

JVN#81820501
FlashAir do not set credential information in PhotoShare

Overview

FlashAirTM provided by Toshiba Corporation does not set credential information in PhotoShare function.

Products Affected

  • FlashAirTM SDHC Memory Card (SD-WE Series <W-03>) V3.00.01 and earlier
  • FlashAirTM SDHC Memory Card (SD-WD/WC Series <W-02>) V2.00.03 and earlier

Description

FlashAirTM by Toshiba Corporation is an SDHC memory card which provides wireless LAN access functions. FlashAirTM PhotoShare function enables to share the image data in a certain folder with other users as it switches the original wireless LAN connection set by FlashAirTM default to the wireless LAN connection for PhotoShare.

When enabling PhotoShare with a mobile application (either for Android or iOS), the application prompts a user to set credentials. But when enabling PhotoShare with web browsers, the wireless LAN connection for PhotoShare cannot be enabled, and default credentials are set to the other wireless network configured to the device. As a result, a remote attacker with access to the wireless LAN may obtain image data by using default credentials (CWE-284).

Impact

If PhotoShare is enabled by web browsers, an attacker with access to the wireless LAN may obtain image data.

Solution

Use mobile application
When enabling PhotoShare, use the mobile application (either for Android or for iOS) to set SSID and password.
According to the developer, firmware versions listed below and later disable PhotoShare setting from web browsers.

  • FlashAirTM SDHC Memory Card (SD-WE Series <W-03>) V3.00.02
  • FlashAirTM SDHC Memory Card (SD-WD/WC Series <W-02>) V2.00.04

Vendor Status

Vendor Link
Toshiba Corporation Photoshare of FlashAirâ„¢ may have a security vulnerability to a fixed password
SDHC Memory Card with embedded wireless LAN functionality FlashAirâ„¢ (SD-WE series<W-03>)
SDHC Memory Card with embedded wireless LAN functionality FlashAirâ„¢ (SD-WD/WC series<W-02>)
How to Use the Photoshare function

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 4.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:A/AC:L/Au:N/C:P/I:N/A:N
Base Score: 3.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-2162
JVN iPedia JVNDB-2017-000091