[Japanese]

JVNDB-2021-000015

FileZen vulnerable to OS command injection

Overview

FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface.
FileZen contains an OS command injection vulnerability (CWE-78).

Soliton Systems K.K. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.1 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 9.0 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products


Soliton Systems K.K.
  • FileZen versions from V3.0.0 to V4.2.7
  • FileZen versions from V5.0.0 to V5.0.2

Impact

A remote attacker who obtained the administrative account of this product may execute an arbitrary OS command.
Solution

[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been already addressed in the following firmware versions.
*FileZen V4.2.8
*FileZen V5.0.3

[Apply workarounds]
Applying workarounds may mitigate the impacts of this vulnerability.
The developer recommends applying following mitigations to this product.
*Disabe the initial administrator account "admin"
*Change the System Administrator account's ID and Password
*Set the System Administrator account to prevent log on from the internet

For more information, refer to the information provided by the developer (in Japanese).
Vendor Information

Soliton Systems K.K.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20655
References

  1. JVN : JVN#58774946
  2. National Vulnerability Database (NVD) : CVE-2021-20655
  3. IPA SECURITY ALERTS : Regarding OS Command Injection vulnerability in FileZen (JVN#58774946) (in Japanese)
  4. JPCERT : Alert Regarding Vulnerability (CVE-2021-20655) in FileZen
Revision History

  • [2021/02/16]
      Web page was published
  • [2021/02/17]
      References : Content was added
  • [2021/03/05]
      Solution : Content was modified