Published:2022/11/14 Last Updated:2022/11/14
JVNVU#97968855
Multiple vulnerabilities in Hitachi Kokusai Network products for monitoring system(Camera, Encoder, Decoder)
Overview
Network products for monitoring system(Camera, Encoder, Decoder) provided by Hitachi Kokusai Electric Inc. contain multiple vulnerabilities.
Products Affected
- camera HC, KV, KP series
- encoders VG, PT series
- decoders PT series
Description
Network products for monitoring system(Camera, Encoder, Decoder) provided by Hitachi Kokusai Electric Inc. contain multiple vulnerabilities listed below.
- Missing Authentication for Critical Function (CWE-306) - CVE-2022-37680
Affected products may be rebooted without authentication by a crafted HTTP request.
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score: 7.5 - Path Traversal (CWE-22) - CVE-2022-37681
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 7.5
Impact
- By sending a specially crafted request, an attacker may cause a denial-of-service (DoS) condition - CVE-2022-37680
- By sending a specially crafted request, an attacker may obtain arbitrary files of the underlying operating system - CVE-2022-37681
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these vulnerabilities to the developer and coordinated.
JPCERT/CC published this advisory in order to notify users of these vulnerabilities.