JVNVU#93424017: Multiple vulnerabilities in SVMPC1 and SVMPC2

Overview

SVMPC1 and SVMPC2 provided by Daikin Holdings Singapore Pte Ltd. contain multiple vulnerabilities.

Products Affected

SVMPC1 and SVMPC2 sold and distributed in the regions other than Japan

Regions:
- Singapore, Vietnam, Indonesia, Malaysia, Thailand, Taiwan, India, Mexico, Colombia, Brazil
Product and version:
- SVMPC1 Ver2.1.22 and earlier
- SVMPC2 Ver1.2.3 and earlier

For more information, refer to the information provided by the developer

Description

SVMPC1 and SVMPC2 provided by Daikin Holdings Singapore Pte Ltd. contain multiple vulnerabilities listed below.

Use of hard-coded password (CWE-259) - CVE-2022-41653
Improper access control (CWE-284) - CVE-2022-38355

Impact

Exploiting these vulnerabilities may allow an attacker on the same LAN segment to access the affected product without authorization and conduct arbitrary operations.

For more information, refer to the information provided by the developer.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The automatic update will be applied when the internet connection settings are enabled.

For more information, refer to the information provided by the developer.

Vendor Status

Vendor	Link
Daikin Holdings Singapore Pte Ltd.	Vulnerability in SVM Series

References

ICS Advisory (ICSA-22-284-02)
Daikin Holdings Singapore Pte Ltd. SVMPC1 and SVMPC2

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

JVNVU#93424017 Multiple vulnerabilities in SVMPC1 and SVMPC2