JVN#96646182
Panasonic Video Insight VMS vulnerable to arbitrary code execution
Overview
Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability
Products Affected
- Video Insight VMS versions prior to 7.6.1
【2020/06/25 Update】
When this advisory was first published on 2020 May 19, the affected version was described as "7.5 and earlier". However, the developer found that the fix was not adequate in version 7.6, thus version 7.6.1 that contains the fix was released later.
Description
Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability (CWE-94).
Impact
An arbitrary code may be executed by a remote attacker.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
【2020/06/25 Update】
When this advisory was first published on 2020 May 19, the affected version was described as "7.5 and earlier". However, the developer found that the fix was not adequate in version 7.6, thus version 7.6.1 that contains the fix was released later.
Vendor Status
| Vendor | Link |
| Panasonic Corporation | Release Notes –Video Insight IP Server 7.6.1 Maintenance Release |
| Download |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-5997 |
| JVN iPedia |
JVNDB-2020-000032 |
Update History
- 2020/06/25
- Fixed the information under the sections [Products Affected], [Solution], and [Vendor Status].