[Japanese]

JVNDB-2024-011744

REST-APIs unintentionally enabled in Century Systems FutureNet NXR series routers

Overview

FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration.
But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled (CWE-684).
The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled.
The username and the password for REST-APIs are configured in the factory default configuration.

Century Systems Co., Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Century Systems Co., Ltd.
  • FutureNet NXR-G050 series firmware versions 21.12.5 and later but prior to 21.12.11
  • FutureNet NXR-G060 series firmware versions prior to 21.15.6C1
  • FutureNet NXR-G110 series firmware versions 21.15.7 and later but prior to 21.15.9

Impact

An attacker may obtain and/or alter the affected product's settings via REST-APIs.
Solution

[Update the firmware]
Update the firmware to the latest version.

[Apply the workaround]
The developer also announces the workaround for this vulnerability.

For the details of the updates or workarounds, refer to the information provided by the developer.
Vendor Information

Century Systems Co., Ltd.
CWE (What is CWE?)

  1. Incorrect Provision of Specified Functionality(CWE-684) [Other]
CVE (What is CVE?)

  1. CVE-2024-50357
References

  1. JVN : JVNVU#95001899
Revision History

  • [2024/11/01]
      Web page was published