[Japanese]

JVNDB-2023-000122

Multiple denial-of-service (DoS) vulnerabilities in JTEKT ELECTRONICS HMI GC-A2 series

Overview

HMI GC-A2 series provided by JTEKT ELECTRONICS CORPORATION contains multiple denial-of-service (DoS) vulnerabilities listed below.
  • Denial-of-service (DoS) vulnerability in FTP service (CWE-400) - CVE-2023-41963
  • Denial-of-service (DoS) vulnerability in commplex-link service (CWE-400) - CVE-2023-49140
  • Denial-of-service (DoS) vulnerability in rfe service (CWE-400) - CVE-2023-49143
  • Denial-of-service (DoS) vulnerability in NetBIOS service (CWE-400) - CVE-2023-49713

JTEKT ELECTRONICS CORPORATION reported these vulnerabilities to IPA to notify users of the solution through JVN. JPCERT/CC and JTEKT ELECTRONICS CORPORATION coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2023-41963

CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2023-49140

CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2023-49143

CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2023-49713
Affected Products


JTEKT ELECTRONICS CORPORATION
  • GC-A22W-CW all versions
  • GC-A24 all versions
  • GC-A24-M all versions
  • GC-A24W-C(W) all versions
  • GC-A25 all versions
  • GC-A26 all versions
  • GC-A26-J2 all versions
  • GC-A26W-C(W) all versions
  • GC-A27-C all versions
  • GC-A28-C all versions

Impact

A remote attacker may be able to cause a denial of service (DoS) condition by sending specially crafted packets to specific ports.
Solution

[Apply the Workaround]
Apply the following workaround to mitigate the impacts of these vulnerabilities.
  • Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when connecting the product to the Internet.
Vendor Information

JTEKT ELECTRONICS CORPORATION
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-41963
  2. CVE-2023-49140
  3. CVE-2023-49143
  4. CVE-2023-49713
References

  1. JVN : JVN#34145838
  2. National Vulnerability Database (NVD) : CVE-2023-41963
  3. National Vulnerability Database (NVD) : CVE-2023-49140
  4. National Vulnerability Database (NVD) : CVE-2023-49143
  5. National Vulnerability Database (NVD) : CVE-2023-49713
Revision History

  • [2023/12/11]
      Web page was published
  • [2024/04/22]
      References : Contents were added

Date Public2023/12/11
Date First Published2023/12/11
Date Last Updated2024/04/22