Published:2016/11/11 Last Updated:2016/11/11
JVN#34103586
Multiple I-O DATA network camera products vulnerable to information disclosure
Overview
Multiple network camera products provided by I-O DATA DEVICE, INC. contain an information disclosure vulnerability.
Products Affected
- TS-WRLP firmware version 1.00.01 and earlier
- TS-WRLA firmware version 1.00.01 and earlier
Description
Multiple network camera products provided by I-O DATA DEVICE, INC. contain an information disclosure vulnerability (CWE-200).
Impact
Information such as authentication credentials may be disclosed by an attacker who can access the product.
Solution
Update the Firmware
Apply the appropriate firmware update provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| I-O DATA DEVICE, INC. | Vulnerable | 2016/11/11 | I-O DATA DEVICE, INC. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score:
4.3
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:A/AC:L/Au:N/C:P/I:N/A:N
Base Score:
3.3
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2016-7814 |
| JVN iPedia |
JVNDB-2016-000221 |