[Japanese]

JVNDB-2022-002338

PLANEX MZK-DP150N contains hidden administrative functionality

Overview

MZK-DP150N provided by PLANEX COMMUNICATIONS INC. contains a hidden administrative screen (CVE-2021-37289, CWE-912).

In the initial settings of the product, the login account for the configuration screen is common to all products.
Please change the account information from the initial settings before using it.

Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


PLANEX COMMUNICATIONS INC.
  • MZK-DP150N v1.43 and earlier

Impact

A user who can log in to the configuration screen may execute arbitrary OS commands with the administrative privilege.
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
The developer has released MZK-DP150N v1.44 which fixes this vulnerability.
Vendor Information

PLANEX COMMUNICATIONS INC.
CWE (What is CWE?)

  1. Hidden Functionality(CWE-912) [Other]
CVE (What is CVE?)

  1. CVE-2021-37289
References

  1. JVN : JVNVU#98291763
Revision History

  • [2022/08/23]
      Web page was published