Published: 2018/02/20  Last Updated: 2018/02/20

Information from FUJI SOFT INCORPORATED

Vulnerability ID:JVN#83834277
Title:Multiple vulnerabilities in FS010W
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

■Versions of FS010W It turned out that vulnerabilities of cross site scripting and cross site request forgery existed before FS010W_00_V1.3.0.

If this vulnerability is exploited,

・Any script is executed on the web browser of the user who is logged in to the setting tool of FS010W.
・When a user logged in to the setting tool of FS 010 W accesses a specially crafted page, the setting is changed irrespective of the user's intention.

The version of FS010W that is affected by this problem is shown below, so please execute the workaround.

■Description
FS010W has a function to change the setting of FS010W from the browser.

Because this vulnerability exists, if you display a malicious site targeting FS010W, the following operations may be performed due to vulnerability of cross site scripting or cross site request forgery.

・Change the setting tool login password
・Reboot
・Setting initialization
・Change SSID

If unintentional settings are made due to this vulnerability, please press the reset button beside microUSB for at least 5 seconds, return to the purchase state, please set the profile again.

■Solutions
It is possible to reduce the effect of this vulnerability by implementing all the following workarounds.

・Change the setting tool login password from the initial setting.
・Do not access other websites while logging in to the configuration tool.
・After finishing the operation with the setting tool, exit the web browser