Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU21209
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13523
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the integrated web server of the affected devices allows to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders). A remote attacker can gain unauthorized access to view device configuration information.
MitigationContact vendor to obtain firmware update packages.
Vulnerable software versionsHEN32103L: All versions
HEN16103L: All versions
HEN08103L: All versions
HEN04103L: All versions
HEN16163: All versions
HEN16143: All versions
HEN16123: All versions
HEN16103: All versions
HEN08143: All versions
HEN08123: All versions
HEN08113: All versions
HEN08103: All versions
HEN04123: All versions
HEN04113: All versions
HEN04103: All versions
HEN643484: All versions
HEN643324: All versions
HEN643164: All versions
HEN64304: All versions
HEN64204: All versions
HEN323164: All versions
HEN32384: All versions
HEN32304: All versions
HEN322164: All versions
HEN32284: All versions
HEN32204: All versions
HEN321124: All versions
HEN32104: All versions
HEN16384: All versions
HEN16304: All versions
HEN16284: All versions
HEN162244: All versions
HEN16204: All versions
HEN16184: All versions
HEN16144: All versions
HEN16104: All versions
HEN081124: All versions
HEN08144: All versions
HEN08104: All versions
HPW2P1: All versions
H4W2PER3: All versions
HBW2PER2: All versions
H4W2PER2: All versions
HEW2PER2: All versions
HEW4PER2B: All versions
HEW4PER2: All versions
HBW2PER1: All versions
HEW4PER3B: All versions
HEW2PER3: All versions
H2W2PER3: All versions
H2W4PEr3: All versions
H2W2PC1M: All versions
HBW8PR2: All versions
H4W8PR2: All versions
HBD3PR1: All versions
H4D3PRV2: All versions
HED3PR3: All versions
H4D3PRV3: All versions
HBD3PR2: All versions
External linkshttp://www.us-cert.gov/ics/advisories/icsa-19-260-03
http://www.security.honeywell.com/-/media/Security/Resources/PDF/Product-Warranty/Security-Notification-May-2019-pdf.pdf?la=en-US&hash=15B712A99CD068FF0D8CB494BC96AB46E2122672
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.