JVNVU#90142679
Multiple vulnerabilities in TAKENAKA ENGINEERING digital video recorders
Overview
Multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. contain multiple vulnerabilities.
Products Affected
- HDVR-400 versions prior to 46110.1.100869.65
- HDVR-800 versions prior to 53210.1.900103.65
- HDVR-1600 versions prior to 53310.1.900111.65
- AHD04T-A/AHD08T-A/AHD16T-A versions prior to 7xx10.1.900055.65
- NVR04T-A/NVR08T-A versions prior to 56x10.1.100540.65
- NVR16T-A versions prior to 49310.1.100540.65
Description
Multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. contain multiple vulnerabilities listed below.
- Improper authentication (CWE-287)
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
- CVE-2024-41929
- OS command injection (CWE-78)
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
- CVE-2024-43778
- Hidden functionality (CWE-912)
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
- CVE-2024-47001
Impact
An arbitrary OS command may be executed on the product or the device settings may be altered.
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
For more information, refer to the information provided by the developer.
Vendor Status
| Vendor | Link |
| TAKENAKA ENGINEERING CO., LTD. | [T-series digital recorders] Request for applying firmware updates (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Yoshiki Mori, Ushimaru Hayato, Yuki Umemura and Masaki Kubo of Cybersecurity Research Institute, National Institute of Information and Communications Technology reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-41929 |
|
CVE-2024-43778 |
|
|
CVE-2024-47001 |
|
| JVN iPedia |
|