[Japanese]

JVNDB-2013-000095

HDL-A and HDL2-A Series vulnerable in session management

Overview

HDL-A and HDL2-A Series provided by I-O DATA DEVICE, INC. are LAN connectable hard disk drives. HDL-A and HDL2-A Series contain a vulnerability related to the management of sessions.

Kazuki Hirota of Keio University Keiji Takeda Research Group reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


I-O DATA DEVICE
  • HDL-A Series
  • HDL-A Series (includes HDL-AS, HDL-AH, HDL-A/E Series) firmware version 1.07 and earlier
  • HDL-A/E Series
  • HDL-AH Series
  • HDL-AS Series
  • HDL2-A Series
  • HDL2-A Series (includes HDL2-AH, HDL2-A/E Series) firmware version 1.07 and earlier
  • HDL2-A/E Series
  • HDL2-AH Series

Impact

A remote unauthenticated attacker may impersonate a user. As a result, information may be disclosed or altered.
Solution

[Update the Firmware]
Apply the firmware update provided by the developer.
Vendor Information

I-O DATA DEVICE
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2013-4712
References

  1. JVN : JVN#52509236
  2. National Vulnerability Database (NVD) : CVE-2013-4712
Revision History

[2013/10/18]
  Web page was published
[2013/10/22]
  Affected Products : Products were added
  References : Content was added