Published:2010/04/19 Last Updated:2010/04/21
JVN#87730223
Multiple Cybozu products vulnerable to authentication bypass
Overview
Multiple Cybozu products contain an authentication bypass vulnerability.
Products Affected
- Cybozu (R) Office 7 Ktai
- Cybozu (R) .(dot) sales
Description
Multiple Cybozu products contain an issue in which the login page for mobile devices is not properly restrcited, leading to an authentication bypass vulnerability. As a result, an attacker may impersonate a user of a Cybozu product.
Impact
A remote attacker may view or modify information stored by the product.
Solution
Apply IP address restriction
Using one of the following methods, restrict access only to mobile device IP addresses:
- Apply the restriction settings on the server in which the product is installed
- Use "Cybozu Remote Service" available from the developer
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Cybozu, Inc. |
Simple Login Function Vulnerability (CY10-04-001) (Japanese Only) |
JPCERT/CC Addendum
According to the developer, in Cybozu Office 8 when the user ID/password is changed for mobile device login, the URL that was used to login will no longer work. The developer is recommending updating the software version and notfying its users to change their user ID/password periodically.Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2010-2029 |
| JVN iPedia |
JVNDB-2010-000016 |