Published:2023/08/21  Last Updated:2023/08/21

JVNVU#92545432
Multiple vulnerabilities in CBC digital video recorders

Overview

Digital video recorders provided by CBC Co.,Ltd. contain multiple vulnerabilities.

Products Affected

  • NR4H, NR8H, NR16H series
  • DR-16F, DR-8F, DR-4F, DR-16H, DR-8H, DR-4H, DR-4M41 series
  • NR-4M, NR-8M, NR-16M series
  • NR-4F, NR-8F, NR-16F series
  • DR-16M, DR-8M, DR-4M51 series

Description

Digital video recorders provided by CBC Co.,Ltd. contain multiple vulnerabilities listed below.

  • Improper authentication (CWE-287) - CVE-2023-38585
  • OS command injection (CWE-78) - CVE-2023-40144
  • Hidden functionality (CWE-912) - CVE-2023-40158

Impact

An arbitrary OS command may be executed on the device or its settings may be altered by a remote attacker.

Solution

Update the firmware
For the following devices, update the firmware to the latest version according to the information provided by the developer.

  • NR-4M, NR-8M, NR-16M series
  • NR-4F, NR-8F, NR-16F series
  • DR-16M, DR-8M, DR-4M51 series
Stop connecting to the internet
Since the devices listed below are no longer supported, they do not meet current security requirements. Therefore, it is not suitable for connecting to internet.
  • NR4H, NR8H, NR16H series
  • DR-16F, DR-8F, DR-4F, DR-16H, DR-8H, DR-4H, DR-4M41 series
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Link
GANZ by CBC Download Portal
DigiMaster/PixelMaster Security Notice

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Comment

This analysis assumes a scenario that OS commands are executed on the device using the credentials obtained by exploiting CVE-2023-38585 vulnerability.

Credit

Yoshiki Mori, Ushimaru Hayato, Hiromu Kubiura and Masaki Kubo of National Institute of Information and Communications Technology Cybersecurity Research Institute reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-38585
CVE-2023-40144
CVE-2023-40158
JVN iPedia