[Japanese]

JVNDB-2023-000002

Digital Arts m-FILTER vulnerable to improper authentication

Overview

m-FILTER provided by Digital Arts Inc. is an emaill security product.
m-FILTER contains an improper authentication vulnerability (CWE-287) when emails are being sent under certain conditions, and unintended emails may be sent by a remote attacker.

Digital Arts Inc. states that attacks exploiting this vulnerability have been observed.

Digital Arts Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Digital Arts Inc. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products


Digital Arts Inc.
  • m-FILTER prior to Ver.5.70R01 (Ver.5 Series)
  • m-FILTER prior to Ver.4.87R04 (Ver.4 Series)

The developer states that m-FILTER@Cloud had been affected by this vulnerability as well.
Impact

Exploiting this vulnerability may result in the impacts listed below.
  • The source IP address is blacklisted and emails cannot be sent
  • If the archive function is being used, sent unsolicited emails are archived and the disk space is oppressed
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
The developer has released the following versions to fix the vulnerability.
  • m-FILTER Ver.5.70R01 (Ver.5 Series)
  • m-FILTER Ver.4.87R04 (Ver.4 Series)

The issue in m-FILTER@Cloud is already fixed with the update on December 23, 2022.
Vendor Information

Digital Arts Inc.
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-22278
References

  1. JVN : JVN#55675303
  2. National Vulnerability Database (NVD) : CVE-2023-22278
Revision History

  • [2023/01/06]
      Web page was published