JVNDB-2023-002055

Multiple vulnerabilities in KbDevice digital video recorders

Multiple digital video recorders provided by KbDevice,Inc. contain multiple vulnerabilities listed below.

* Improper authentication (CWE-287) - CVE-2023-30762
* OS command injection (CWE-78) - CVE-2023-30764
* Hidden functionality (CWE-912) - CVE-2023-30766

Yoshiki Mori, Ushimaru Hayato, Hiromu Kubiura and Masaki Kubo of National Institute of Information and Communications Technology Cybersecurity Research Institute reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

KbDevice, Inc.

• KB-AHR04D firmware versions prior to 91110.1.101106.78
• KB-AHR08D firmware versions prior to 91110.1.101106.78
• KB-AHR16D firmware versions prior to 91110.1.101106.78
• KB-IRIP04A firmware versions prior to 95110.1.100290.78A
• KB-IRIP08A firmware versions prior to 95110.1.100290.78A
• KB-IRIP16A firmware versions prior to 95110.1.100290.78A

An arbitrary OS command may be executed on the product or the device settings may be altered.

[Comment]
This analysis assumes a scenario that OS commands are executed on the device using the credentials obtained by CVE-2023-30762.

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.

For more information, refer to the information provided by the developer.

KbDevice, Inc.

• KbDevice, Inc. : Update: Fix for a recorder network attack issue (in Japanese)

1. Improper Authentication(CWE-287) [Other]
2. OS Command Injection(CWE-78) [Other]
3. Hidden Functionality(CWE-912) [Other]

1. CVE-2023-30762
2. CVE-2023-30764
3. CVE-2023-30766

1. JVN : JVNVU#90812349
2. National Vulnerability Database (NVD) : CVE-2023-30762
3. National Vulnerability Database (NVD) : CVE-2023-30764
4. National Vulnerability Database (NVD) : CVE-2023-30766

• [2023/06/07]
    Web page was published
• [2024/05/24]
    Affected Products : Products were modified
    References : Contents were added