[Japanese]

JVNDB-2023-000006

Multiple vulnerabilities in PIXELA PIX-RT100

Overview

PIX-RT100 provided by PIXELA CORPORATION contains multiple vulnerabilities listed below.

  • OS command injection (CWE-78) - CVE-2023-22304
  • Backdoor access issue (CWE-912) - CVE-2023-22316

MASAHIRO IIDA of LAC Co.,Ltd. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 8.3 (High) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2023-22316


CVSS V3 Severity:
Base Metrics 8.0 (Medium) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.7 (Low) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2023-22304
Affected Products


PIXELA CORPORATION
  • PIX-RT100 versions RT100_TEQ_2.1.1_EQ101 and RT100_TEQ_2.1.2_EQ101

Impact

  • A user who can login to Setting of the product may execute an arbitrary OS command - CVE-2023-22304
  • A network-adjacent attacker may access the product via undocumented Telnet or SSH services - CVE-2023-22316

  • Solution

    [Update the Software]
    Update to the latest version according to the information provided by the developer.
    According to the developer, these vulnerabilities have been fixed in version RT100_TEQ_2.1.3_EQ101.
    Vendor Information

    PIXELA CORPORATION
    CWE (What is CWE?)

    1. OS Command Injection(CWE-78) [IPA Evaluation]
    2. No Mapping(CWE-Other) [IPA Evaluation]
    CVE (What is CVE?)

    1. CVE-2023-22304
    2. CVE-2023-22316
    References

    1. JVN : JVN#57296685
    2. National Vulnerability Database (NVD) : CVE-2023-22304
    3. National Vulnerability Database (NVD) : CVE-2023-22316
    Revision History

    • [2023/01/12]
        Web page was published