CVE-2019-14707 - OpenCVE

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. The firmware update process is insecure, leading to remote code execution. The attacker can provide arbitrary firmware in a .dat file via a webparam?system&action=set&upgrade URI.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Microdigital	Mdc-n2190v Mdc-n2190v Firmware Mdc-n4090w Firmware Mdc-n4090w Mdc-n4090 Firmware Mdc-n4090

Configuration 1 [-]

AND

cpe:2.3:o:microdigital:mdc-n4090_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:microdigital:mdc-n4090:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:microdigital:mdc-n4090w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:microdigital:mdc-n4090w:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:microdigital:mdc-n2190v_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:microdigital:mdc-n2190v:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.microdigital.co.kr/	Vendor Advisory
https://pastebin.com/PSyqqs1g	Third Party Advisory
https://www.microdigital.ru/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-08-06T22:23:19

Updated: 2019-08-06T22:23:19

Reserved: 2019-08-06T00:00:00

Link: CVE-2019-14707

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-08-06T23:15:12.853

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-14707

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. The firmware update process is insecure, leading to remote code execution. The attacker can provide arbitrary firmware in a .dat file via a webparam?system&action=set&upgrade URI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-06T22:23:19", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.microdigital.ru/"}, {"tags": ["x_refsource_MISC"], "url": "http://www.microdigital.co.kr/"}, {"tags": ["x_refsource_MISC"], "url": "https://pastebin.com/PSyqqs1g"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14707", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. The firmware update process is insecure, leading to remote code execution. The attacker can provide arbitrary firmware in a .dat file via a webparam?system&action=set&upgrade URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.microdigital.ru/", "refsource": "MISC", "url": "https://www.microdigital.ru/"}, {"name": "http://www.microdigital.co.kr/", "refsource": "MISC", "url": "http://www.microdigital.co.kr/"}, {"name": "https://pastebin.com/PSyqqs1g", "refsource": "MISC", "url": "https://pastebin.com/PSyqqs1g"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14707", "datePublished": "2019-08-06T22:23:19", "dateReserved": "2019-08-06T00:00:00", "dateUpdated": "2019-08-06T22:23:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microdigital:mdc-n4090_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D55CED3-7FBF-49DA-8839-238BD0F12694", "versionEndIncluding": "6400.0.8.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:microdigital:mdc-n4090:-:*:*:*:*:*:*:*", "matchCriteriaId": "87113142-90AD-448E-9E5B-D01B95B6EB34", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microdigital:mdc-n4090w_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B0AB679-83C7-4A48-B1B6-538E30EE2ADC", "versionEndIncluding": "6400.0.8.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:microdigital:mdc-n4090w:-:*:*:*:*:*:*:*", "matchCriteriaId": "AB3AD88D-A959-49BB-895C-01CA2068FBDA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microdigital:mdc-n2190v_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4909796B-CF2B-4CBE-9875-E2C595BC62D9", "versionEndIncluding": "6400.0.8.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:microdigital:mdc-n2190v:-:*:*:*:*:*:*:*", "matchCriteriaId": "CDC2E118-00CD-4788-9D52-E0CD9C91F26B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. The firmware update process is insecure, leading to remote code execution. The attacker can provide arbitrary firmware in a .dat file via a webparam?system&action=set&upgrade URI."}, {"lang": "es", "value": "Se detect\u00f3 un problema en las c\u00e1maras N-series de MicroDigital con versi\u00f3n de firmware hasta 6400.0.8.5. El proceso de actualizaci\u00f3n del firmware no es seguro, conllevando a la ejecuci\u00f3n de c\u00f3digo remota. El atacante puede proporcionar firmware arbitrario en un archivo .dat mediante un URI webparam?System&action=set&upgrade."}], "id": "CVE-2019-14707", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-06T23:15:12.853", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.microdigital.co.kr/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://pastebin.com/PSyqqs1g"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.microdigital.ru/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}