JVNVU#97968855: Multiple vulnerabilities in Hitachi Kokusai Network products for monitoring system(Camera, Encoder, Decoder)

Overview

Network products for monitoring system(Camera, Encoder, Decoder) provided by Hitachi Kokusai Electric Inc. contain multiple vulnerabilities.

Products Affected

camera HC, KV, KP series
encoders VG, PT series
decoders PT series

For information about the affected product types and firmware versions, refer to the information provided by the developer.

Description

Network products for monitoring system(Camera, Encoder, Decoder) provided by Hitachi Kokusai Electric Inc. contain multiple vulnerabilities listed below.

Missing Authentication for Critical Function (CWE-306) - CVE-2022-37680
Affected products may be rebooted without authentication by a crafted HTTP request.

CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score: 7.5
Path Traversal (CWE-22) - CVE-2022-37681

CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 7.5

Impact

By sending a specially crafted request, an attacker may cause a denial-of-service (DoS) condition - CVE-2022-37680
By sending a specially crafted request, an attacker may obtain arbitrary files of the underlying operating system - CVE-2022-37681

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
Hitachi	Vulnerable	2022/11/14	Hitachi website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these vulnerabilities to the developer and coordinated.
JPCERT/CC published this advisory in order to notify users of these vulnerabilities.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

JVNVU#97968855 Multiple vulnerabilities in Hitachi Kokusai Network products for monitoring system(Camera, Encoder, Decoder)