JVNVU#96435227
Multiple SONY network cameras vulnerable to sensitive information disclosure
Overview
Multiple SONY network cameras contain a sensitive information disclosure vulnerability.
Products Affected
Multiple products are affected.
For details, refer to the information provided by the developer.
Description
Multiple SONY network cameras contain a sensitive information disclosure vulnerability.
Impact
Authentication information may be obtained by an unauthenticated user who can access the device.
As a result, the user can log in as an administrator and conduct any administrative operations.
Solution
Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Sony Corporation | Digital, Wireless & Network IP Security Cameras |
| New firmware for network cameras |
References
-
SEC Consult
Backdoor in Sony IPELA Engine IP Cameras -
SEC Consult
SEC Consult Vulnerability Lab Security Advisory < 20161206-0 >
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
SEC Consult reported this vulnerability to Sony, and Sony reported this vulnerability to JPCERT/CC to notify the solution to users through JVN. JPCERT/CC and Sony coordinated for the publication of this case.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2016-7834 |
| JVN iPedia |
|