Published:2016/12/16  Last Updated:2016/12/16

JVN#42070907
Multiple SONY Videoconference Systems do not properly perform authentication

Overview

Mutiple SONY Videoconference Systems do not properly perform authentication.

Products Affected

  • PCS-XG100
  • PCS-XG100S
  • PCS-XG77
  • PCS-XG77S
  • PCS-XC1
For more information, refer to the information provided by the developer.

Description

Multiple SONY Videoconference Systems have a default user account which does not require authentication to login to a device (CWE-306).
This user account has a privilege to view some of the system configuration files.  As a result, the device may be manipulated by an attacker with administrative privileges.

telnet/ssl functionality is implemented based on the specifications in the device, and it is disabled by default.  When this functionality is enabled, a user in the same subnetwork can login to the device.

Impact

The device may be logged in by the other user in the same subnetwork.  As a result, the device may be manipulated by the user with administrative privileges.

Solution

Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
Sony Corporation Notice regarding Video conference Network Security Enhancement
Software: PCS-XG100/XG77 V1.51.20 & PCS-XC1 V1.22.20

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:A/AC:M/Au:N/C:P/I:N/A:N
Base Score: 2.9
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Sony Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Sony Corporation coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-7830
JVN iPedia JVNDB-2016-000246