[Japanese]

JVNDB-2023-007150

Multiple vulnerabilities in First Corporation's DVRs

Overview

DVRs provided by First Co., Ltd. contain multiple vulnerabilities listed below.

* Use of hard-coded password (CWE-259) - CVE-2023-47213
* Missing authentication for critical function (CWE-306) - CVE-2023-47674

Yoshiki Mori of National Institute of Information and Communications Technology Cybersecurity Research Institute reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-47674


CVSS V3 Severity:
Base Metrics8.1 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-47213
Affected Products


First Co., Ltd.
  • CFR-1004EA firmware
  • CFR-1008EA firmware
  • CFR-1016EA firmware
  • CFR-16EAA firmware
  • CFR-16EAB firmware
  • CFR-16EHA firmware
  • CFR-16EHD firmware
  • CFR-4EAA firmware
  • CFR-4EAAM firmware
  • CFR-4EAB firmware
  • CFR-4EABC firmware
  • CFR-4EHA firmware
  • CFR-4EHD firmware
  • CFR-8EAA firmware
  • CFR-8EAB firmware
  • CFR-8EHA firmware
  • CFR-8EHD firmware
  • CFR-904E firmware
  • CFR-908E firmware
  • CFR-916E firmware
  • MD-404AA firmware
  • MD-404AB firmware
  • MD-404HA firmware
  • MD-404HD firmware
  • MD-808AA firmware
  • MD-808AB firmware
  • MD-808HA firmware
  • MD-808HD firmware

Impact

A remote attacker may rewrite or obtain the configuration information of the affected device.
Solution

[Update the Firmware]
The developer provides the firmware updates for the following products.

* CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, MD-808AB: Late model

[Apply the Workaround]
For products for which no firmware updates are provided, apply the workaround indicated by the developer.

For more information, refer to the information provided by the developer.
Vendor Information

First Co., Ltd.
CWE (What is CWE?)

  1. Use of Hard-coded Password(CWE-259) [Other]
  2. Missing Authentication for Critical Function(CWE-306) [Other]
CVE (What is CVE?)

  1. CVE-2023-47213
  2. CVE-2023-47674
References

  1. JVN : JVNVU#99077347
  2. National Vulnerability Database (NVD) : CVE-2023-47213
  3. National Vulnerability Database (NVD) : CVE-2023-47674
  4. Related document : NICTER Blog (in Japanese)
Revision History

  • [2023/11/17]
      Web page was published
  • [2024/07/11]
      References : Contents were added