Published:2021/02/16  Last Updated:2021/02/16

JVN#58774946
FileZen vulnerable to OS command injection
Critical

Overview

FileZen provided by Soliton Systems K.K. contains an OS command injection vulnerability.

Products Affected

  • FileZen versions from V3.0.0 to V4.2.7
  • FileZen versions from V5.0.0 to V5.0.2

Description

FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface.
FileZen contains an OS command injection vulnerability (CWE-78).

Impact

A remote attacker who obtained the administrative account of this product may execute an arbitrary OS command.

Solution

Apply workarounds
Applying workarounds may mitigate the impacts of this vulnerability.
The developer recommends applying following mitigations to this product.

  • Disabe the initial administrator account "admin"
  • Change the System Administrator account's ID and Password
  • Set the System Administrator account to prevent log on from the internet

For more information, refer to the information provided by the developer (in Japanese).

According to the developer, the fixed version will be released in the near future.

Vendor Status

Vendor Status Last Update Vendor Notes
Soliton Systems K.K. Vulnerable 2021/02/16 Soliton Systems K.K. website

References

  1. Information-technology Promotion Agency, Japan (IPA)
    Regarding OS Command Injection vulnerability in FileZen (JVN#58774946) (in Japanese)

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score: 9.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:S/C:C/I:C/A:C
Base Score: 9.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Soliton Systems K.K. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert JPCERT-AT-2021-0009
Alert Regarding Vulnerability (CVE-2021-20655) in FileZen
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20655
JVN iPedia JVNDB-2021-000015

Update History

2021/02/16
Information under the section "References" and "Other Information" were updated.