[Japanese]

JVNDB-2024-000091

IPCOM vulnerable to information disclosure

Overview

SSL Accelerator/SSL-VPN Function of IPCOM provided by Fsas Technologies Inc. contains an information disclosure vulnerability due to observable timing discrepancy (CWE-208).

Fsas Technologies Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fsas Technologies Inc. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.9 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Fsas Technologies Inc.
  • IPCOM EX2 Series V01L02NF0001 to V01L06NF0401, V01L20NF0001 to V01L20NF0401, V02L20NF0001 to V02L21NF0301
  • IPCOM VE2 Series V01L04NF0001 to V01L06NF0112

Impact

Some of the encrypted communication may be decrypted by an attacker who can obtain the contents of the communication.
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.

[Apply the workaround]
Applying the following workaround may mitigate the impact of this vulnerability.

* Disable the RSA key exchange cipher suite in the IPCOM cipher suite settings

For more information, refer to the information provided by the developer.
Vendor Information

Fsas Technologies Inc.
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-39921
References

  1. JVN : JVN#29238389
Revision History

  • [2024/08/30]
      Web page was published

Date Public2024/08/30
Date First Published2024/08/30
Date Last Updated2024/08/30