Vulnerability identifier: #VU21209
Vulnerability risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
HEN32103L
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16103L
Hardware solutions /
Office equipment, IP-phones, print servers
HEN08103L
Hardware solutions /
Office equipment, IP-phones, print servers
HEN04103L
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16163
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16143
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16123
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16103
Hardware solutions /
Office equipment, IP-phones, print servers
HEN08143
Hardware solutions /
Office equipment, IP-phones, print servers
HEN08123
Hardware solutions /
Office equipment, IP-phones, print servers
HEN08113
Hardware solutions /
Office equipment, IP-phones, print servers
HEN08103
Hardware solutions /
Office equipment, IP-phones, print servers
HEN04123
Hardware solutions /
Office equipment, IP-phones, print servers
HEN04113
Hardware solutions /
Office equipment, IP-phones, print servers
HEN04103
Hardware solutions /
Office equipment, IP-phones, print servers
HEN643484
Hardware solutions /
Office equipment, IP-phones, print servers
HEN643324
Hardware solutions /
Office equipment, IP-phones, print servers
HEN643164
Hardware solutions /
Office equipment, IP-phones, print servers
HEN64304
Hardware solutions /
Office equipment, IP-phones, print servers
HEN64204
Hardware solutions /
Office equipment, IP-phones, print servers
HEN323164
Hardware solutions /
Office equipment, IP-phones, print servers
HEN32384
Hardware solutions /
Office equipment, IP-phones, print servers
HEN32304
Hardware solutions /
Office equipment, IP-phones, print servers
HEN322164
Hardware solutions /
Office equipment, IP-phones, print servers
HEN32284
Hardware solutions /
Office equipment, IP-phones, print servers
HEN32204
Hardware solutions /
Office equipment, IP-phones, print servers
HEN321124
Hardware solutions /
Office equipment, IP-phones, print servers
HEN32104
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16384
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16304
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16284
Hardware solutions /
Office equipment, IP-phones, print servers
HEN162244
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16204
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16184
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16144
Hardware solutions /
Office equipment, IP-phones, print servers
HEN16104
Hardware solutions /
Office equipment, IP-phones, print servers
HEN081124
Hardware solutions /
Office equipment, IP-phones, print servers
HEN08144
Hardware solutions /
Office equipment, IP-phones, print servers
HEN08104
Hardware solutions /
Office equipment, IP-phones, print servers
HPW2P1
Hardware solutions /
Office equipment, IP-phones, print servers
H4W2PER3
Hardware solutions /
Office equipment, IP-phones, print servers
HBW2PER2
Hardware solutions /
Office equipment, IP-phones, print servers
H4W2PER2
Hardware solutions /
Office equipment, IP-phones, print servers
HEW2PER2
Hardware solutions /
Office equipment, IP-phones, print servers
HEW4PER2B
Hardware solutions /
Office equipment, IP-phones, print servers
HEW4PER2
Hardware solutions /
Office equipment, IP-phones, print servers
HBW2PER1
Hardware solutions /
Office equipment, IP-phones, print servers
HEW4PER3B
Hardware solutions /
Office equipment, IP-phones, print servers
HEW2PER3
Hardware solutions /
Office equipment, IP-phones, print servers
H2W2PER3
Hardware solutions /
Office equipment, IP-phones, print servers
H2W4PEr3
Hardware solutions /
Office equipment, IP-phones, print servers
H2W2PC1M
Hardware solutions /
Office equipment, IP-phones, print servers
HBW8PR2
Hardware solutions /
Office equipment, IP-phones, print servers
H4W8PR2
Hardware solutions /
Office equipment, IP-phones, print servers
HBD3PR1
Hardware solutions /
Office equipment, IP-phones, print servers
H4D3PRV2
Hardware solutions /
Office equipment, IP-phones, print servers
HED3PR3
Hardware solutions /
Office equipment, IP-phones, print servers
H4D3PRV3
Hardware solutions /
Office equipment, IP-phones, print servers
HBD3PR2
Hardware solutions /
Office equipment, IP-phones, print servers
Vendor: Honeywell International, Inc
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the integrated web server of the affected devices allows to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders). A remote attacker can gain unauthorized access to view device configuration information.
Mitigation
Contact vendor to obtain firmware update packages.
Vulnerable software versions
HEN32103L: All versions
HEN16103L: All versions
HEN08103L: All versions
HEN04103L: All versions
HEN16163: All versions
HEN16143: All versions
HEN16123: All versions
HEN16103: All versions
HEN08143: All versions
HEN08123: All versions
HEN08113: All versions
HEN08103: All versions
HEN04123: All versions
HEN04113: All versions
HEN04103: All versions
HEN643484: All versions
HEN643324: All versions
HEN643164: All versions
HEN64304: All versions
HEN64204: All versions
HEN323164: All versions
HEN32384: All versions
HEN32304: All versions
HEN322164: All versions
HEN32284: All versions
HEN32204: All versions
HEN321124: All versions
HEN32104: All versions
HEN16384: All versions
HEN16304: All versions
HEN16284: All versions
HEN162244: All versions
HEN16204: All versions
HEN16184: All versions
HEN16144: All versions
HEN16104: All versions
HEN081124: All versions
HEN08144: All versions
HEN08104: All versions
HPW2P1: All versions
H4W2PER3: All versions
HBW2PER2: All versions
H4W2PER2: All versions
HEW2PER2: All versions
HEW4PER2B: All versions
HEW4PER2: All versions
HBW2PER1: All versions
HEW4PER3B: All versions
HEW2PER3: All versions
H2W2PER3: All versions
H2W4PEr3: All versions
H2W2PC1M: All versions
HBW8PR2: All versions
H4W8PR2: All versions
HBD3PR1: All versions
H4D3PRV2: All versions
HED3PR3: All versions
H4D3PRV3: All versions
HBD3PR2: All versions
External links
http://www.us-cert.gov/ics/advisories/icsa-19-260-03
http://www.security.honeywell.com/-/media/Security/Resources/PDF/Product-Warranty/Security-Notification-May-2019-pdf.pdf?la=en-US&hash=15B712A99CD068FF0D8CB494BC96AB46E2122672
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.