JVNDB-2023-007150

Multiple vulnerabilities in First Corporation's DVRs

DVRs provided by First Co., Ltd. contain multiple vulnerabilities listed below.

* Use of hard-coded password (CWE-259) - CVE-2023-47213
* Missing authentication for critical function (CWE-306) - CVE-2023-47674

Yoshiki Mori of National Institute of Information and Communications Technology Cybersecurity Research Institute reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

First Co., Ltd.

• CFR-1004EA firmware
• CFR-1008EA firmware
• CFR-1016EA firmware
• CFR-16EAA firmware
• CFR-16EAB firmware
• CFR-16EHA firmware
• CFR-16EHD firmware
• CFR-4EAA firmware
• CFR-4EAAM firmware
• CFR-4EAB firmware
• CFR-4EABC firmware
• CFR-4EHA firmware
• CFR-4EHD firmware
• CFR-8EAA firmware
• CFR-8EAB firmware
• CFR-8EHA firmware
• CFR-8EHD firmware
• CFR-904E firmware
• CFR-908E firmware
• CFR-916E firmware
• MD-404AA firmware
• MD-404AB firmware
• MD-404HA firmware
• MD-404HD firmware
• MD-808AA firmware
• MD-808AB firmware
• MD-808HA firmware
• MD-808HD firmware

A remote attacker may rewrite or obtain the configuration information of the affected device.

[Update the Firmware]
The developer provides the firmware updates for the following products.

* CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, MD-808AB: Late model

[Apply the Workaround]
For products for which no firmware updates are provided, apply the workaround indicated by the developer.

For more information, refer to the information provided by the developer.

First Co., Ltd.

• First Co., Ltd. : Regarding the case where our DVR is used as a stepping stone for cyber attacks (in Japanese)
• First Co., Ltd. : Regarding communication failure with our DVR (PDF) (in Japanese)

1. Use of Hard-coded Password(CWE-259) [Other]
2. Missing Authentication for Critical Function(CWE-306) [Other]

1. CVE-2023-47213
2. CVE-2023-47674

1. JVN : JVNVU#99077347
2. Related document : NICTER Blog (in Japanese)

• [2023/11/17]
    Web page was published