[Japanese]

JVNDB-2023-002722

Fujitsu network devices Si-R series and SR-M series vulnerable to authentication bypass

Overview

The web management interface of Fujitsu network devices Si-R series and SR-M series contains an authentication bypass vulnerability (CWE-287,CVE-2023-38555).

Katsuhiko Sato (a.k.a. goroh_kun) of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.4 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [Other]
  • Access Vector: Adjacent Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Complete
  • Availability Impact: Partial
Affected Products


FUJITSU
  • Si-R 130B firmware all versions
  • Si-R 220D firmware all versions
  • Si-R 30B firmware all versions
  • Si-R 370B firmware all versions
  • Si-R 570B firmware all versions
  • Si-R 90brin firmware all versions
  • Si-R G100 firmware V02.54 and earlier
  • Si-R G100B firmware V04.12 and earlier
  • Si-R G110B firmware V04.12 and earlier
  • Si-R G120 firmware V20.52 and earlier
  • Si-R G121 firmware V20.52 and earlier
  • Si-R G200 firmware V02.54 and earlier
  • Si-R G200B firmware V04.12 and earlier
  • Si-R G210 firmware V20.52 and earlier
  • Si-R G211 firmware V20.52 and earlier
  • SR-M 50AP1 firmware all versions

Impact

An attacker who can access the product may obtain the product's configuration information or change/reset the configuration settings.
Solution

[Update the firmware]
Update firmware to the latest version according to the information provided by the developer.
The developer plans to publish updates for Si-RG V2 series, Si-RG V4 series, and Si-RG V20 series in August 2023.

[Apply the workarounds]
Applying the following workarounds may mitigate the impacts of this vulnerability.
* Change the product's settings to disable HTTP/HTTPS functions
* Do not use the web management interface of the affected products

To apply the workaround for Si-R 30B or Si-R 130B, the firmware must be updated to the following versions.
* Si-R 30B V02.05
* Si-R 130B V04.09

For the details, refer to the information provided by the developer.
Vendor Information

FUJITSU
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [Other]
CVE (What is CVE?)

  1. CVE-2023-38555
References

  1. JVN : JVNVU#96643580
  2. National Vulnerability Database (NVD) : CVE-2023-38555
Revision History

  • [2023/07/27]
      Web page was published
  • [2024/04/19]
      Affected Products : Products were added

Date Public2023/07/26
Date First Published2023/07/27
Date Last Updated2024/04/19