The SNC series network cameras produced by Sony offer a function that utilizes the ActiveX control to enable the monitoring of audio-visual media in web browsers.

Heap buffer overflow vulnerability exists in the ActiveX control of the SNC series network cameras, as a portion of the setting parameters are not properly processed. If this vulnerability is exploited, there is a possibility that arbitrary code may be executed on the computer that utilized the ActiveX control on a web browser.

For detailed information, refer to the following URL:
http://pro.sony.com/bbsc/ssr/cat-securitycameras/resource.downloads.bbsccms-assets-cat-camsec-downloads-AffectedNetworkCameras.shtml

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000012.html

The IPA first received a report concerning this vulnerability from the product developer on January 9, 2009, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on February 23, 2009.

In the event the user accesses a website with malicious intent, there is a possibility that involuntary operations may occur within the computer – such as the execution of unintended programs, deletion of files, and the installation of malicious tools such as viruses and bots.

In general, the ActiveX control is temporarily installed on the computer before execution. There is a possibility that users who used this product in the past are also affected, and countermeasures are necessary.

To fix this vulnerability, update to the fixed version supplied by the vendor.

(1)Evaluation Result

(2) Base Score Metrics

■:Selected Values

The vulnerability has been CWE classified as “Failure to Constrain Operations within the Bounds of the Memory Buffer (Buffer Errors) (CWE-119)”.

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: