|
[Japanese]
|
JVNDB-2023-002055
|
Multiple vulnerabilities in KbDevice digital video recorders
|
|
Multiple digital video recorders provided by KbDevice,Inc. contain multiple vulnerabilities listed below.
* Improper authentication (CWE-287) - CVE-2023-30762
* OS command injection (CWE-78) - CVE-2023-30764
* Hidden functionality (CWE-912) - CVE-2023-30766
Yoshiki Mori, Ushimaru Hayato, Hiromu Kubiura and Masaki Kubo of National Institute of Information and Communications Technology Cybersecurity Research Institute reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
|
CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
|
|
|
KbDevice, Inc.
- KB-AHR04D versions prior to 91110.1.101106.78
- KB-AHR08D versions prior to 91110.1.101106.78
- KB-AHR16D versions prior to 91110.1.101106.78
- KB-IRIP04A versions prior to 95110.1.100290.78A
- KB-IRIP08A versions prior to 95110.1.100290.78A
- KB-IRIP16A versions prior to 95110.1.100290.78A
|
|
|
An arbitrary OS command may be executed on the product or the device settings may be altered.
[Comment]
This analysis assumes a scenario that OS commands are executed on the device using the credentials obtained by CVE-2023-30762.
|
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
For more information, refer to the information provided by the developer.
|
|
KbDevice, Inc.
|
|
- Improper Authentication(CWE-287) [Other]
- OS Command Injection(CWE-78) [Other]
- Hidden Functionality(CWE-912) [Other]
|
|
- CVE-2023-30762
- CVE-2023-30764
- CVE-2023-30766
|
|
- JVN : JVNVU#90812349
|
|
- [2023/06/07]
Web page was published
|
