Published:2019/08/07  Last Updated:2019/08/07

JVNVU#97511331
Multiple vulnerabilities in multiple Canon digital cameras

Overview

Multiple Canon digital cameras (EOS series and PowerShot series) contain multiple vulnerabilities.

Products Affected

  • EOS Series (DSLR and Mirrorless)
  • PowerShot SX70HS
  • PowerShot SX740HS
  • PowerShot G5XMarkII
For details, refer to the information provided by the developer.

Description

Multiple Canon digital cameras (EOS series and PowerShot series) contain multiple vulnerabilities listed below.

  • Buffer overflow vulnerability in PTP (Picture Transfer Protocol) when processing SendObjectInfo command (CWE-120) - CVE-2019-5994
  • Buffer overflow vulnerability in PTP (Picture Transfer Protocol) when processing notifybtstatus command (CWE-120) - CVE-2019-5998
  • Buffer overflow vulnerability in PTP (Picture Transfer Protocol) when processing blerequest command (CWE-120) - CVE-2019-5999
  • Buffer overflow vulnerability in PTP (Picture Transfer Protocol) when processing sendhostinfo command (CWE-755) - CVE-2019-6000
  • Buffer overflow vulnerability in PTP (Picture Transfer Protocol) when processing setadapterbatteryreport command (CWE-755) - CVE-2019-6001
  • Missing authorization vulnerability which may result in unauthorized firmware update (CWE-862) - CVE-2019-5995

Impact

  • A specially crafted PTP command may cause buffer overflow, which may result in the affected digital camera being unresponsive or arbitrary code being executed by a remote attacker - CVE-2019-5994, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001
  • Specially crafted firmware by a remote attacker or unofficial firmware update may be applied without the user's consent since the user confirmation process before applying firmware update is not implemented in the software - CVE-2019-5995

Solution

Update the firmware
Apply the appropriate firmware update according to the information provided by the developer.
For details, refer to the information provided by the developer.

Apply workarounds
Applying the following workarounds may mitigate the impacts of these vulnerabilities.

  • Turn on the camera’s network function only when it is necessary
  • Do not connect the camera to untrusted devices
  • Do not connect the camera to untrusted network
  • Apply the official firmware update obtained from Canon official homepage only

Vendor Status

Vendor Link
Canon U.S.A., Inc. Regarding the security advisory for Canon digital cameras related to PTP (Picture Transfer Protocol) communication functions and firmware update functions
Canon Europe Ltd. Regarding the security advisory for Canon digital cameras related to PTP (Picture Transfer Protocol) communication functions and firmware update functions

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:A/AC:L/Au:N/C:C/I:C/A:C
Base Score: 8.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-5994
CVE-2019-5995
CVE-2019-5998
CVE-2019-5999
CVE-2019-6000
CVE-2019-6001
JVN iPedia