|
[Japanese]
|
JVNDB-2024-011744
|
REST-APIs unintentionally enabled in Century Systems FutureNet NXR series routers
|
|
FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration.
But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled (CWE-684).
The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled.
The username and the password for REST-APIs are configured in the factory default configuration.
Century Systems Co., Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
|
|
CVSS V3 Severity:
Base Metrics 9.8 (Critical) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
|
|
|
Century Systems Co., Ltd.
- FutureNet NXR-G050 series firmware versions 21.12.5 and later but prior to 21.12.11
- FutureNet NXR-G060 series firmware versions prior to 21.15.6C1
- FutureNet NXR-G110 series firmware versions 21.15.7 and later but prior to 21.15.9
|
|
|
An attacker may obtain and/or alter the affected product's settings via REST-APIs.
|
|
[Update the firmware]
Update the firmware to the latest version.
[Apply the workaround]
The developer also announces the workaround for this vulnerability.
For the details of the updates or workarounds, refer to the information provided by the developer.
|
|
Century Systems Co., Ltd.
|
|
- Incorrect Provision of Specified Functionality(CWE-684) [Other]
|
|
- CVE-2024-50357
|
|
- JVN : JVNVU#95001899
|
|
- [2024/11/01]
Web page was published
|
