|
[Japanese]
|
JVNDB-2022-000030
|
Multiple vulnerabilities in Operation management interface of FUJITSU Network IPCOM
|
|
FUJITSU Network IPCOM provided by FUJITSU LIMITED is an integrated network appliance.
Operation management interface used to operate FUJITSU Network IPCOM contains multiple vulnerabilities listed below.
* OS command injection in the web console (CWE-78) - CVE-2022-29516
* Buffer overflow in the Command Line Interface (CWE-120) - CVE-2020-10188
FUJITSU LIMITED reported these vulnerabilities to IPA to notify users of its solution through JVN. JPCERT/CC and FUJITSU LIMITED coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 10.0 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2022-29516
|
CVSS V3 Severity:
Base Metrics
9.8 (Critical) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
10.0 (High)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: Complete
-
Integrity Impact: Complete
-
Availability Impact: Complete
The product uses previous versions of netkit-telnet which contains a known vulnerability.
The above CVSS base scores have been assigned for CVE-2020-10188
|
|
|
FUJITSU
- IPCOM EX2 series
- IPCOM EX series
- IPCOM VA2/VE1 series
- IPCOM VE2 series
|
|
|
* A remote attacker may execute an arbitrary OS command.
* A remote attacker may obtain and/or alter sensitive information.
* A remote attackerr may be able to cause a denial-of-service (DoS).
|
|
[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
These vulnerabilities have been already addressed in the following firmware versions.
* IPCOM EX2 V01L05 NF0501
* IPCOM EX2 V01L20 NF0301
* IPCOM EX2 V02L21 NF0201
* IPCOM EX E20L33 NF1101
* IPCOM EX E30L11 NF0501
* IPCOM VE2 V01L05 NF0303
* IPCOM VA2/VE1 E20L33 NF0902
[Apply the Workaround]
Apply one of the following workarounds to prevent unauthorized access from other than authorized Operation management terminal:
* Prepare a dedicated network to deploy Operation management interface and allow access to the Operation management interface only from the network
* Set individual permissions for Operation management terminal
For more information, refer to the information provided by the developer. (Text in Japanese)
|
|
FUJITSU
|
|
- Buffer Errors(CWE-119) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
|
|
- CVE-2020-10188
- CVE-2022-29516
|
|
- JVN : JVN#96561229
- JVN : JVNVU#96424864
- National Vulnerability Database (NVD) : CVE-2020-10188
- National Vulnerability Database (NVD) : CVE-2022-29516
- JPCERT REPORT : JPCERT-AT-2022-0013
|
|
- [2022/05/09]
Web page was published
- [2022/05/10]
References : Content was added
- [2022/05/19]
Solution was modified
- [2022/05/30]
Solution was modified
- [2022/06/03]
Solution was modified
- [2022/06/10]
Solution was modified
- [2022/06/16]
Solution was modified
- [2022/07/21]
Overview : Content was modified
CWE : Content was modified
- [2024/06/19]
References : Contents were added
- [2024/07/18]
References : Content was added
|
