Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in Sony SNC Series Network Camera

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in Sony SNC Series Network Camera

February 23, 2009
>> JAPANESE

The Information-technology Promotion Agency (IPA, Chairman Koji Nishigaki) announced a security alert on February 23, 2009 concerning vulnerability in Sony SNC series network cameras.
When the user of this product views a webpage with malicious intent, this vulnerability causes an arbitrary code to be executed.
If exploited, the computer may become under the control of an attacker with malicious intent. Involuntary operations may occur such as the execution of unintended programs, file deletions, and the installation of malicious tools such as viruses and bots.
To fix this vulnerability, update to the fixed version supplied by the vendor.

1.Overview

The SNC series network cameras produced by Sony offer a function that utilizes the ActiveX control to enable the monitoring of audio-visual media in web browsers.

Heap buffer overflow vulnerability exists in the ActiveX control of the SNC series network cameras, as a portion of the setting parameters are not properly processed. If this vulnerability is exploited, there is a possibility that arbitrary code may be executed on the computer that utilized the ActiveX control on a web browser.

For detailed information, refer to the following URL:
http://pro.sony.com/bbsc/ssr/cat-securitycameras/resource.downloads.bbsccms-assets-cat-camsec-downloads-AffectedNetworkCameras.shtml

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000012.html

The IPA first received a report concerning this vulnerability from the product developer on January 9, 2009, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on February 23, 2009.

2.Impact

In the event the user accesses a website with malicious intent, there is a possibility that involuntary operations may occur within the computer – such as the execution of unintended programs, deletion of files, and the installation of malicious tools such as viruses and bots.

In general, the ActiveX control is temporarily installed on the computer before execution. There is a possibility that users who used this product in the past are also affected, and countermeasures are necessary.

Security Alert for Vulnerability in Sony SNC Series Network Camera

3.Solution

To fix this vulnerability, update to the fixed version supplied by the vendor.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
■ Medium
(4.0~6.9)
□ High
(7.0~10.0)
CVSS base score   6.8  

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High ■ Medium □ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

5.CWE Type

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: