← Advisories

Panasonic Sanyo CCTV Network Camera 2.03-0x CSRF Disable Authentication / Change Password

Medium

Advisory ID

ZSL-2021-5659

Release Date

30 July 2021

Vendor

Panasonic Corporation - https://www.panasonic.com, SANYO Electric Co., Ltd. - https://www.sanyo-av.com

Affected Version

Model: VCC-HD5600P, FrmVer: 2.03-06 (110315-00), SubVer: 1.01-00 (100528-00), Model: VDC-HD3300P, FrmVer: 2.03-08 (111222-00), SubVer: 1.01-00 (100528-00), Model: VDC-HD3300P, FrmVer: 1.02-05 (101005-07), SubVer: 1.01-00 (100528-00), Model: VCC-HD3300, FrmVer: 2.03-02 (110318-00A), SubVer: 1.01-00 (100528-00), Model: VDC-HD3100P, FrmVer: 2.03-00 (110204-02), SubVer: 1.01-00 (100528-00), Model: VCC-HD2100P, FrmVer: 2.03-02 (110318-00A), SubVer: 1.01-00 (100528-00)

CVE

CVE-2022-4621

Tested On

Embedded Linux, CGI

Summary

SANYO network camera and network optional board with the latest H.264 compression technology provide the optimum surveillance applications with high quality real time moving image at low bandwidth. Simultaneous stream of H.264 and JPEG data and also COAX video out to provide flexible solution for digital and analogue combined system.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform authentication detriment and account password change with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

panasonic_sanyo_csrf.htmlTXT

Disclosure Timeline

13.07.2021Vulnerability discovered.

14.07.2021Panasonic PSIRT contacted.

15.07.2021Vendor responds asking more details.

15.07.2021Sent details to the vendor.

20.07.2021Asked vendor for status update.

21.07.2021Vendor sent details to development team. Will reply after any status update.

27.07.2021No status update from the vendor.

28.07.2021Asked vendor for status update.

30.07.2021Vendor responds, the Sanyo brand ended in 2012 and the security cameras were supported until 2019. We are not able to address the reported issues. The websites for Sanyo branded security cameras will be shutdown in September 2021.

30.07.2021Replied to the vendor.

30.07.2021Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://sol.panasonic.biz/security/sanyo/index.html

[2]https://eww.cnw.panasonic.co.jp/security/g/sanyo/index.html

[3]https://cxsecurity.com/issue/WLB-2021080003

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/206533

[5]https://packetstormsecurity.com/files/163714/

[6]https://www.exploit-db.com/exploits/50172

[7]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4621

[8]https://nvd.nist.gov/vuln/detail/CVE-2022-4621

[9]https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-04

Changelog

30.07.2021Initial release

02.08.2021Added reference [3], [4], [5] and [6]

10.01.2023Added reference [7] and [8]

26.01.2023Added reference [9]