JVN#38847224
Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext
Overview
Fujitsu Software Infrastructure Manager (ISM) provided by Fujitsu Limited, with a certain configuration, stores sensitive information in cleartext form.
Products Affected
- Fujitsu Software Infrastructure Manager Advanced Edition V2.8.0.060
- Fujitsu Software Infrastructure Manager Advanced Edition for PRIMEFLEX V2.8.0.060
- Fujitsu Software Infrastructure Manager Essential Edition V2.8.0.060
Description
Fujitsu Software Infrastructure Manager (ISM) V2.8.0.060, provided by Fujitsu Limited, stores the password for the proxy server in cleartext form to the product's maintenance data (ismsnap) (CWE-312) under the following conditions.
- Using a proxy server that requires authentication in the connection from ISM to internet
- The user ID and/or the password for the proxy server contain "\" (backslash) character
- The product's firmware download function is enabled (*)
* This is a function for the Europe Region and is disabled by default
Impact
The password for the proxy server that is configured in ISM may be retrieved from the maintenance data.
Solution
Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released V2.8.0.061 to fix this vulnerability.
Apply the Workarounds
Applying the following workarounds may mitigate the impact of this vulnerability.
- Use a user ID and/or a password for the proxy server not including "\" (backslash) character, when downloading firmware
- Store the maintenance data in a trusted location, and delete when unnecessary
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Fujitsu Limited | Vulnerable | 2023/08/04 | Fujitsu Limited website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
The analysis assumes that an attacker directs the administrator to collect maintenance data.
Credit
Fujitsu Limited reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fujitsu Limited coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-39379 |
| JVN iPedia |
JVNDB-2023-000077 |