JVNDB-2021-000015

FileZen vulnerable to OS command injection

FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface.
FileZen contains an OS command injection vulnerability (CWE-78).

Soliton Systems K.K. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.

Soliton Systems K.K.

• FileZen versions from V3.0.0 to V4.2.7
• FileZen versions from V5.0.0 to V5.0.2

A remote attacker who obtained the administrative account of this product may execute an arbitrary OS command.

[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been already addressed in the following firmware versions.
*FileZen V4.2.8
*FileZen V5.0.3

[Apply workarounds]
Applying workarounds may mitigate the impacts of this vulnerability.
The developer recommends applying following mitigations to this product.
*Disabe the initial administrator account "admin"
*Change the System Administrator account's ID and Password
*Set the System Administrator account to prevent log on from the internet

For more information, refer to the information provided by the developer (in Japanese).

Soliton Systems K.K.

• Soliton Systems K.K. : Soliton Systems K.K. website (in Japanese)

1. OS Command Injection(CWE-78) [IPA Evaluation]

1. CVE-2021-20655

1. JVN : JVN#58774946
2. National Vulnerability Database (NVD) : CVE-2021-20655
3. IPA SECURITY ALERTS : Regarding OS Command Injection vulnerability in FileZen (JVN#58774946) (in Japanese)
4. JPCERT : Alert Regarding Vulnerability (CVE-2021-20655) in FileZen

• [2021/02/16]
    Web page was published
• [2021/02/17]
    References : Content was added
• [2021/03/05]
    Solution : Content was modified