Published:2022/11/14  Last Updated:2022/11/14

JVNVU#97968855
Multiple vulnerabilities in Hitachi Kokusai Network products for monitoring system(Camera, Encoder, Decoder)

Overview

Network products for monitoring system(Camera, Encoder, Decoder) provided by Hitachi Kokusai Electric Inc. contain multiple vulnerabilities.

Products Affected

  • camera HC, KV, KP series
  • encoders VG, PT series
  • decoders PT series
For information about the affected product types and firmware versions, refer to the information provided by the developer.

Description

Network products for monitoring system(Camera, Encoder, Decoder) provided by Hitachi Kokusai Electric Inc. contain multiple vulnerabilities listed below.

  • Missing Authentication for Critical Function (CWE-306) - CVE-2022-37680
    Affected products may be rebooted without authentication by a crafted HTTP request.
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score: 7.5
  • Path Traversal (CWE-22) - CVE-2022-37681
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 7.5

Impact

  • By sending a specially crafted request, an attacker may cause a denial-of-service (DoS) condition - CVE-2022-37680
  • By sending a specially crafted request, an attacker may obtain arbitrary files of the underlying operating system - CVE-2022-37681

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Hitachi Vulnerable 2022/11/14 Hitachi website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these vulnerabilities to the developer and coordinated.
JPCERT/CC published this advisory in order to notify users of these vulnerabilities.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia