Published:2022/10/28  Last Updated:2022/10/28

JVN#74285622
Multiple vulnerabilities in FUJI SOFT network devices

Overview

Network devices provided by FUJI SOFT INCORPORATED contain multiple vulnerabilities.

Products Affected

CVE-2022-43442

  • +F FS040U software versions v2.3.4 and earlier
CVE-2022-43470
  • +F FS040U software versions v2.3.4 and earlier
  • +F FS020W software versions v4.0.0 and earlier
  • +F FS030W software versions v3.3.5 and earlier
  • +F FS040W software versions v1.4.1 and earlier

Description

USB dongle +F FS040U and mobile routers +F FS020W/+F FS030W/+F FS040W provided by FUJI SOFT INCORPORATED contain multiple vulnerabilities listed below.

  • Plaintext Storage of a Password (CWE-256) - CVE-2022-43442
    CVSS v3 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 4.6
    CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N Base Score: 2.1
  • Cross-Site Request Forgery (CSRF) (CWE-352) - CVE-2022-43470
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L Base Score: 4.6
    CVSS v2 AV:A/AC:H/Au:N/C:N/I:P/A:P Base Score: 3.2

Impact

  • An attacker may obtain the login password of +F FS040U and log in to the management console - CVE-2022-43442
  • If a user views a malicious page while logged in with the administrative privilege, unintended operations may be performed - CVE-2022-43470

Solution

Update the software
For the products besides +F FS020W, update is provided from the developer.
Update the software to the latest version according to the information provided by the developer.

Apply the Workaround
For +F FS020W, apply the workaround according to the information provided by the developer to mitigate the impact of the vulnerability.

Vendor Status

Vendor Status Last Update Vendor Notes
FUJI SOFT INCORPORATED Vulnerable 2022/10/28 FUJI SOFT INCORPORATED website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Tomohisa Hasegawa of Canon IT Solutions Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-43442
CVE-2022-43470
JVN iPedia JVNDB-2022-000084