[Japanese]

JVNDB-2024-008391

Multiple vulnerabilities in TAKENAKA ENGINEERING digital video recorders

Overview

Multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. contain multiple vulnerabilities listed below.


  • Improper authentication (CWE-287) - CVE-2024-41929

  • OS command injection (CWE-78) - CVE-2024-43778

  • Hidden functionality (CWE-912) - CVE-2024-47001



Yoshiki Mori, Ushimaru Hayato, Yuki Umemura and Masaki Kubo of Cybersecurity Research Institute, National Institute of Information and Communications Technology reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-41929

CVSS V3 Severity:
Base Metrics8.8 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-43778

CVSS V3 Severity:
Base Metrics8.8 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-47001
Affected Products


TAKENAKA ENGINEERING CO., LTD.
  • AHD04T-A versions prior to 7xx10.1.900055.65
  • AHD08T-A versions prior to 7xx10.1.900055.65
  • AHD16T-A versions prior to 7xx10.1.900055.65
  • HDVR-1600 versions prior to 53310.1.900111.65
  • HDVR-400 versions prior to 46110.1.100869.65
  • HDVR-800 versions prior to 53210.1.900103.65
  • NVR04T-A versions prior to 56x10.1.100540.65
  • NVR08T-A versions prior to 56x10.1.100540.65
  • NVR16T-A versions prior to 49310.1.100540.65

Impact

An arbitrary OS command may be executed on the product or the device settings may be altered.
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
For more information, refer to the information provided by the developer.
Vendor Information

TAKENAKA ENGINEERING CO., LTD.
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [Other]
  2. OS Command Injection(CWE-78) [Other]
  3. Hidden Functionality(CWE-912) [Other]
CVE (What is CVE?)

  1. CVE-2024-41929
  2. CVE-2024-43778
  3. CVE-2024-47001
References

  1. JVN : JVNVU#90142679
Revision History

  • [2024/09/19]
      Web page was published

Date Public2024/09/18
Date First Published2024/09/19
Date Last Updated2024/09/19