[Japanese]

JVNDB-2024-003051

FURUNO SYSTEMS Managed Switch ACERA 9010 running in non MS mode with the initial configuration has no password

Overview

In the initial configuration of Managed Switch ACERA 9010 provided by FURUNO Systems Co., Ltd., the password is empty (CWE-258) and the remote access service is enabled.

The products are affected only when running in non MS mode with the initial configuration.

FURUNO SYSTEMS Co.,Ltd. reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


FURUNO SYSTEMS Co.,Ltd.
  • ACERA 9010-08 firmware v02.04 and earlier
  • ACERA 9010-24 firmware v02.04 and earlier

According to the developer, they are not affected when running in MS mode (in this mode, the device is managed by a UNIFAS server).
Impact

An unauthenticated attacker may log in to the product with no password, and obtain and/or alter information such as network configuration and user information.
Solution

Set a password using CLI commands, if the affected product is used without configuring any password.
For more information, refer to the information provided by the developer.
Vendor Information

FURUNO SYSTEMS Co.,Ltd.
CWE (What is CWE?)

  1. Empty Password in Configuration File(CWE-258) [Other]
CVE (What is CVE?)

  1. CVE-2024-28744
References

  1. JVN : JVNVU#99285099
Revision History

  • [2024/04/02]
      Web page was published

Date Public2024/04/01
Date First Published2024/04/02
Date Last Updated2024/04/02