Published:2022/08/31  Last Updated:2022/08/31

JVNVU#90766406
Multiple vulnerabilities in PLANEX Network camera products

Overview

"SmaCam CS-QR10" and "SmaCam Night Vision CS-QR20" provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities.

Products Affected

  • SmaCam CS-QR10 all versions
  • SmaCam Night Vision CS-QR20 all versions

Description

Network camera products "SmaCam CS-QR10" and "SmaCam Night Vision CS-QR20" provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities listed below.

  • Missing protection mechanism for alternate hardware interface (CWE-1299) - CVE-2022-38399
    CVSS v3.1 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8
  • Hidden Functionality (CWE-912) - CVE-2017-12576
    CVSS v3.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 7.2

Impact

  • By connecting to the product's certain serial connection, an attacker may execute an arbitrary OS command - CVE-2022-38399
  • An attacker who can log in to the web management interface may execute an arbitrary OS command on the affected product - CVE-2017-12576

Solution

Stop using the products or Use in a safe environment
The products are no longer supported, and the fix updates for the issues will not be available.
As a workaround, the developer recommends the users to stop using the products, or to change the administrator password and use it in a secure local network environment.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-38399
JVN iPedia