[Japanese]

JVNDB-2022-000084

Multiple vulnerabilities in FUJI SOFT network devices

Overview

USB dongle +F FS040U and mobile routers +F FS020W/+F FS030W/+F FS040W provided by FUJI SOFT INCORPORATED contain multiple vulnerabilities listed below.
  • Plaintext Storage of a Password (CWE-256) - CVE-2022-43442
  • Cross-Site Request Forgery (CWE-352) - CVE-2022-43470

Tomohisa Hasegawa of Canon IT Solutions Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.6 (Medium) [IPA Score]
  • Attack Vector: physics
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.1 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-43442


CVSS V3 Severity:
Base Metrics 4.6 (Medium) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 3.2 (Low) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-43470
Affected Products


FUJISOFT INCORPORATED
  • +F FS020W software versions v4.0.0 and earlier(CVE-2022-43470)
  • +F FS030W software versions v3.3.5 and earlier(CVE-2022-43470)
  • +F FS040U software versions v2.3.4 and earlier(CVE-2022-43442, CVE-2022-43470)
  • +F FS040W software versions v1.4.1 and earlier(CVE-2022-43470)

Impact

  • An attacker may obtain the login password of +F FS040U and log in to the management console - CVE-2022-43442
  • If a user views a malicious page while logged in with the administrative privilege, unintended operations may be performed - CVE-2022-43470
Solution

[Update the software]
For the products besides +F FS020W, update is provided from the developer.
Update the software to the latest version according to the information provided by the developer.

[Apply the Workaround]
For +F FS020W, apply the workaround according to the information provided by the developer to mitigate the impact of the vulnerability.
Vendor Information

FUJISOFT INCORPORATED
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
  2. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-43442
  2. CVE-2022-43470
References

  1. JVN : JVN#74285622
Revision History

  • [2022/10/28]
      Web page was published