[Japanese]

JVNDB-2023-000074

Fujitsu Real-time Video Transmission Gear "IP series" uses a hard-coded credentials

Overview

Real-time Video Transmission Gear "IP series" provided by Fujitsu Limited uses a hard-coded credentials (CWE-798) .
The product's credentials for factory testing may be obtained by reverse engineering and others.

Fujitsu Limited reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fujitsu Limited coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.9 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


FUJITSU
  • IP-90 firmware firmware versions V01L001 to V01L013
  • IP-900D firmware firmware versions V01L001 to V02L061
  • IP-900E firmware firmware versions V01L001 to V02L061
  • IP-900 2 D firmware firmware versions V01L001 to V02L061
  • IP-920D firmware firmware versions V01L001 to V02L061
  • IP-920E firmware firmware versions V01L001 to V02L061
  • IP-9610 firmware firmware versions V01L001 to V02L007
  • IP-HE900D firmware firmware versions V01L001 to V01L004
  • IP-HE900E firmware firmware versions V01L001 to V01L010
  • IP-HE950D firmware firmware versions V01L001 to V01L053
  • IP-HE950E firmware firmware versions V01L001 to V01L053

Impact

An attacker who log in to the web interface using the obtained credentials may initialize or reboot the products, and as a result, terminate the video transmission.
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.

[Apply a workaround]
Applying a following workaround may mitigate the impacts of this vulnerability.
* Place the products on a secure network
Vendor Information

FUJITSU
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-38433
References

  1. JVN : JVN#95727578
  2. National Vulnerability Database (NVD) : CVE-2023-38433
  3. ICS-CERT ADVISORY : ICSA-23-248-01
Revision History

  • [2023/07/26]
      Web page was published
  • [2023/09/06]
      References : Content was added
  • [2024/04/12]
      References : Content was added

Date Public2023/07/26
Date First Published2023/07/26
Date Last Updated2024/04/12