JVN#75437943
Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure
Overview
Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability.
Products Affected
- GT-DMB-N with firmware versions prior to 3.00
- GT-DMB with firmware versions prior to 3.00
- GT-DMB-LVN with firmware versions prior to 3.00
- GT-DB-VN with firmware versions prior to 2.00
Description
Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability (CWE-200).
Impact
An attacker who can obtain specific information of the product and access the product may obtain sensitive information stored in the device.
Solution
Use the products with the fixed firmware
According to the developer, the vulnerability has been fixed since December 2021.
Please inquire the developer the information on the support of the products released before December 2021.
Vendor Status
| Vendor | Link |
| Aiphone Co., Ltd. | GT System, Entrance station Vulnerability Information. |
| Contact us |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Cameron Palmer of PROMON reported this vulnerability to Aiphone Co., Ltd. and coordinated. Aiphone Co., Ltd. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2022-40903 |
| JVN iPedia |
JVNDB-2022-000086 |