CVE-2023-47213

Q: What is the severity of CVE-2023-47213?

CVE-2023-47213 has a CVSS score of 9.8 (CRITICAL). First Corporation DVRs contain a hard-coded password vulnerability that allows remote unauthenticated attackers to access and modify device configuration. This affects multiple DVR models from First Corporation, with only some models receiving security updates while others require workarounds.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

First Corporation DVRs contain a hard-coded password vulnerability that allows remote unauthenticated attackers to access and modify device configuration. This affects multiple DVR models from First Corporation, with only some models receiving security updates while others require workarounds.

💻 Affected Systems

Products:

First Corporation DVRs including CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, MD-808AB and other unspecified models

Versions: All versions with hard-coded credentials

Operating Systems: Embedded DVR firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only Late models of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB receive updates. Other products require workarounds.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to reconfigure DVRs, disable security features, access video feeds, or use devices as part of botnets for DDoS attacks.

🟠

Likely Case

Unauthorized access to video surveillance feeds, device configuration tampering, and potential use of devices in coordinated attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - DVRs are often exposed to the internet for remote access, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to DVR devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY - Hard-coded credential vulnerabilities are commonly exploited in IoT devices.

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Attackers only need to know the hard-coded password to gain access.

The vulnerability requires network access to the DVR's management interface. Attackers can use automated tools to scan for vulnerable devices.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Updates available for Late models only

Vendor Advisory: https://www.c-first.co.jp/information/ddososhirase/

Restart Required: Yes

Instructions:

1. Check if your DVR model is a Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, or MD-808AB. 2. If yes, apply firmware update from vendor. 3. If no, implement workarounds. 4. Change all default credentials after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate DVRs from internet and restrict network access

Access Control Lists

all

Implement firewall rules to restrict access to DVR management interfaces

🧯 If You Can't Patch

Remove DVRs from internet-facing networks and place behind VPN or secure gateway
Implement strict network segmentation to isolate DVRs from critical networks

🔍 How to Verify

Check if Vulnerable:

Attempt to access DVR web interface using default/hard-coded credentials. Check device model against affected list.

Check Version:

Check firmware version through DVR web interface or device display

Verify Fix Applied:

Verify firmware version has been updated and test that hard-coded credentials no longer work.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful login with default credentials
Configuration changes from unknown IP addresses
Multiple login attempts from single sources

Network Indicators:

Unusual outbound traffic from DVR devices
Connections to known malicious IPs from DVRs
Port scanning originating from DVR network segments

SIEM Query:

source_ip="DVR_IP" AND (event_type="authentication" AND result="success" AND user="default") OR (event_type="configuration_change" AND user!="authorized_user")

📊 Metadata

CVE ID: CVE-2023-47213

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: November 16, 2023

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/vu/JVNVU99077347/ Third Party Advisory
https://www.c-first.co.jp/information/ddososhirase/ Vendor Advisory
https://www.c-first.co.jp/wp/wp-content/uploads/2023/11/tuushin.pdf Vendor Advisory
https://jvn.jp/en/vu/JVNVU99077347/ Third Party Advisory
https://www.c-first.co.jp/information/ddososhirase/ Vendor Advisory
https://www.c-first.co.jp/wp/wp-content/uploads/2023/11/tuushin.pdf Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cfr 1004ea Firmware by C First

Cfr 1008ea Firmware by C First

Cfr 1016ea Firmware by C First

Cfr 16eaa Firmware by C First

Cfr 16eab Firmware by C First

Cfr 16eha Firmware by C First

Cfr 16ehd Firmware by C First

Cfr 4eaa Firmware by C First

Cfr 4eaam Firmware by C First

Cfr 4eab Firmware by C First

Cfr 4eabc Firmware by C First

Cfr 4eha Firmware by C First

Cfr 4ehd Firmware by C First

Cfr 8eaa Firmware by C First

Cfr 8eab Firmware by C First

Cfr 8eha Firmware by C First

Cfr 8ehd Firmware by C First

Cfr 904e Firmware by C First

Cfr 908e Firmware by C First

Cfr 916e Firmware by C First

Md 404aa Firmware by C First

Md 404ab Firmware by C First

Md 404ha Firmware by C First

Md 404hd Firmware by C First

Md 808aa Firmware by C First

Md 808ab Firmware by C First

Md 808ha Firmware by C First

Md 808hd Firmware by C First