CVE-2023-34552

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In certain EZVIZ products, two stack based buffer overflows in mulicast_parse_sadp_packet and mulicast_get_pack_type functions of the SADP multicast protocol can allow an unauthenticated attacker present on the same local network as the camera to achieve remote code execution. This affects CS-C6N-B0-1G2WF Firmware versions before V5.3.0 build 230215 and CS-C6N-R101-1G2WF Firmware versions before V5.3.0 build 230215 and CS-CV310-A0-1B2WFR Firmware versions before V5.3.0 build 230221 and CS-CV310-A0-1C2WFR-C Firmware versions before V5.3.2 build 230221 and CS-C6N-A0-1C2WFR-MUL Firmware versions before V5.3.2 build 230218 and CS-CV310-A0-3C2WFRL-1080p Firmware versions before V5.2.7 build 230302 and CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p Firmware versions before V5.3.2 build 230214 and CS-CV248-A0-32WMFR Firmware versions before V5.2.3 build 230217 and EZVIZ LC1C Firmware versions before V5.3.4 build 230214.

En determinados productos EZVIZ, dos desbordamientos de búfer basados en pila en las funciones mulicast_parse_sadp_packet y mulicast_get_pack_type del protocolo de multidifusión SADP pueden permitir a un atacante no autenticado presente en la misma red local que la cámara lograr la ejecución remota de código. Esto afecta a las versiones de firmware CS-C6N-B0-1G2WF anteriores a V5.3.0 build 230215 y a las versiones de firmware CS-C6N-R101-1G2WF anteriores a V5.3.0 build 230215 y a las versiones de firmware CS-CV310-A0-1B2WFR anteriores a V5.3.0 build 230221 y a las versiones de firmware CS-CV310-A0-1C2WFR-C anteriores a V5.3.2 build 230221 y a las versiones de firmware CS-C6N-A0-1C2WFR-MUL anteriores a V5.3.2 build 230218 y a las versiones de firmware CS-C6N-A0-1C2WFR-MUL anteriores a V5.3.2 build 230218 y a las versiones de firmware CS-CV310-A0-3C2WFRL-1080p anteriores a V5.2.7 build 230302 y a las versiones de firmware CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p anteriores a V5.3.2 build 230214 y a las versiones de firmware CS-CV248-A0-32WMFR anteriores a V5.2.3 build 230217 y a las versiones de firmware EZVIZ LC1C anteriores a V5.3.4 build 230214.

*Credits: N/A

CVSS Scores

NISTv3.1 8.8

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-06-07 CVE Reserved
2023-08-01 CVE Published
2024-08-02 CVE Updated
2024-09-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (2)

URL	Tag	Source
http://ezviz.com	Product

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.ezviz.com/data-security/security-notice/detail/827	2023-08-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ezviz Search vendor "Ezviz"	Cs-c6n-b0-1g2wf Firmware Search vendor "Ezviz" for product "Cs-c6n-b0-1g2wf Firmware"	<= 5.3.0 Search vendor "Ezviz" for product "Cs-c6n-b0-1g2wf Firmware" and version " <= 5.3.0"	-	Affected	in	Ezviz Search vendor "Ezviz"	Cs-c6n-b0-1g2wf Search vendor "Ezviz" for product "Cs-c6n-b0-1g2wf"	-	-	Safe
Ezviz Search vendor "Ezviz"	Cs-c6n-r101-1g2wf Firmware Search vendor "Ezviz" for product "Cs-c6n-r101-1g2wf Firmware"	<= 5.3.0 Search vendor "Ezviz" for product "Cs-c6n-r101-1g2wf Firmware" and version " <= 5.3.0"	-	Affected	in	Ezviz Search vendor "Ezviz"	Cs-c6n-r101-1g2wf Search vendor "Ezviz" for product "Cs-c6n-r101-1g2wf"	-	-	Safe
Ezviz Search vendor "Ezviz"	Cs-cv310-a0-1b2wfr Firmware Search vendor "Ezviz" for product "Cs-cv310-a0-1b2wfr Firmware"	<= 5.3.0 Search vendor "Ezviz" for product "Cs-cv310-a0-1b2wfr Firmware" and version " <= 5.3.0"	-	Affected	in	Ezviz Search vendor "Ezviz"	Cs-cv310-a0-1b2wfr Search vendor "Ezviz" for product "Cs-cv310-a0-1b2wfr"	-	-	Safe
Ezviz Search vendor "Ezviz"	Cs-cv310-a0-1c2wfr-c Firmware Search vendor "Ezviz" for product "Cs-cv310-a0-1c2wfr-c Firmware"	<= 5.3.2 Search vendor "Ezviz" for product "Cs-cv310-a0-1c2wfr-c Firmware" and version " <= 5.3.2"	-	Affected	in	Ezviz Search vendor "Ezviz"	Cs-cv310-a0-1c2wfr-c Search vendor "Ezviz" for product "Cs-cv310-a0-1c2wfr-c"	-	-	Safe
Ezviz Search vendor "Ezviz"	Cs-c6n-a0-1c2wfr-mul Firmware Search vendor "Ezviz" for product "Cs-c6n-a0-1c2wfr-mul Firmware"	<= 5.3.2 Search vendor "Ezviz" for product "Cs-c6n-a0-1c2wfr-mul Firmware" and version " <= 5.3.2"	-	Affected	in	Ezviz Search vendor "Ezviz"	Cs-c6n-a0-1c2wfr-mul Search vendor "Ezviz" for product "Cs-c6n-a0-1c2wfr-mul"	-	-	Safe
Ezviz Search vendor "Ezviz"	Cs-cv310-a0-3c2wfrl-1080p Firmware Search vendor "Ezviz" for product "Cs-cv310-a0-3c2wfrl-1080p Firmware"	<= 5.2.7 Search vendor "Ezviz" for product "Cs-cv310-a0-3c2wfrl-1080p Firmware" and version " <= 5.2.7"	-	Affected	in	Ezviz Search vendor "Ezviz"	Cs-cv310-a0-3c2wfrl-1080p Search vendor "Ezviz" for product "Cs-cv310-a0-3c2wfrl-1080p"	-	-	Safe
Ezviz Search vendor "Ezviz"	Cs-cv310-a0-1c2wfr Firmware Search vendor "Ezviz" for product "Cs-cv310-a0-1c2wfr Firmware"	<= 5.3.2 Search vendor "Ezviz" for product "Cs-cv310-a0-1c2wfr Firmware" and version " <= 5.3.2"	-	Affected	in	Ezviz Search vendor "Ezviz"	Cs-cv310-a0-1c2wfr Search vendor "Ezviz" for product "Cs-cv310-a0-1c2wfr"	-	-	Safe
Ezviz Search vendor "Ezviz"	Cs-cv248-a0-32wmfr Firmware Search vendor "Ezviz" for product "Cs-cv248-a0-32wmfr Firmware"	<= 5.2.3 Search vendor "Ezviz" for product "Cs-cv248-a0-32wmfr Firmware" and version " <= 5.2.3"	-	Affected	in	Ezviz Search vendor "Ezviz"	Cs-cv248-a0-32wmfr Search vendor "Ezviz" for product "Cs-cv248-a0-32wmfr"	-	-	Safe
Ezviz Search vendor "Ezviz"	Lc1c Firmware Search vendor "Ezviz" for product "Lc1c Firmware"	<= 5.3.4 Search vendor "Ezviz" for product "Lc1c Firmware" and version " <= 5.3.4"	-	Affected	in	Ezviz Search vendor "Ezviz"	Lc1c Search vendor "Ezviz" for product "Lc1c"	-	-	Safe