JVN#83701666
Multiple vulnerabilities in multiple I-O DATA network camera products

Overview

Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities.

Products Affected

• TS-WRLP firmware Ver.1.09.04 and earlier
• TS-WRLA firmware Ver.1.09.04 and earlier
• TS-WRLP/E firmware Ver.1.09.04 and earlier

Description

Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.

• Permissions, Privileges, and Access Controls (CWE-264) - CVE-2018-0661

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	Base Score: 6.3
  CVSS v2	AV:A/AC:L/Au:N/C:P/I:P/A:P	Base Score: 5.8

• Insufficient Verification of Data Authenticity (CWE-345) - CVE-2018-0662

  CVSS v3	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	Base Score: 4.3
  CVSS v2	AV:L/AC:L/Au:N/C:P/I:P/A:P	Base Score: 4.6

• Use of Hard-coded Credentials (CWE-798) - CVE-2018-0663

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L	Base Score: 4.7
  CVSS v2	AV:N/AC:M/Au:S/C:P/I:P/A:P	Base Score: 6.0

Impact

• A remote attacker on the adjacent network may add files on a specific directory and execute arbitrary OS commands and codes - CVE-2018-0661
• Information including credentials may be leaked and altered - CVE-2018-0661
• An attacker who can access the affected product physically may add malicious files on the product and execute an arbitrary code - CVE-2018-0662
• A remote attacker may execute an arbitrary OS command - CVE-2018-0663

Solution

Update the Firmware
Apply the firmware update according to the information provided by the developer.