Published:2023/03/17  Last Updated:2023/04/11

JVNVU#96198617
Multiple vulnerabilities in Contec CONPROSYS IoT Gateway products

Overview

CONPROSYS IoT Gateway products provided by Contec CO.,LTD. contain multiple vulnerabilities.

Products Affected

  • M2M Gateway with firmware Ver.3.7.10 and earlier versions (5 models)
    • CPS-MG341-ADSC1-111
    • CPS-MG341-ADSC1-931
    • CPS-MG341G-ADSC1-111
    • CPS-MG341G-ADSC1-930
    • CPS-MG341G5-ADSC1-931
  • M2M Controller Integrated Type with firmware Ver.3.7.6 and earlier versions (9 models)
    • CPS-MC341-ADSC1-111
    • CPS-MC341-ADSC1-931
    • CPS-MC341-ADSC2-111
    • CPS-MC341G-ADSC1-110
    • CPS-MC341Q-ADSC1-111
    • CPS-MC341-DS1-111
    • CPS-MC341-DS11-111
    • CPS-MC341-DS2-911
    • CPS-MC341-A1-111
  • M2M Controller Configurable Type with firmware Ver.3.8.8 and earlier versions (5 models)
    • CPS-MCS341-DS1-111
    • CPS-MCS341-DS1-131
    • CPS-MCS341G-DS1-130
    • CPS-MCS341G5-DS1-130
    • CPS-MCS341Q-DS1-131

Description

CONPROSYS IoT Gateway products provided by Contec CO.,LTD. contain multiple vulnerabilities listed below.

  • OS Command Injection (CWE-78) - CVE-2023-27917
    Network Maintenance page validates input values improperly, resulting in OS command injection.
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
  • Inadequate Encryption Strength (CWE-326) - CVE-2023-27389
    Firmware update file contains a firmware image encrypted, which can be decrypted by examining the bundled install script and a little more work.
    CVSS v3 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.6
  • Improper Access Control (CWE-284) - CVE-2023-23575
    Network Maintenance page should be available only to administrative users, but the device fails to restrict access.
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3

Impact

  • A user who can access Network Maintenance page may execute an arbitrary OS command with root privilege - CVE-2023-27917
  • An authenticated user may apply a specially crafted Firmware update file, to alter the information, cause a denial-of-service (DoS), execute arbitrary code - CVE-2023-27389
  • A non-privileged user may access Network Maintenance page to obtain the network information of the product - CVE-2023-23575

Solution

Update the Software
Update the firmware to the latest version according to the information provided by the developer.

Apply the workaround
Applying the following workarounds may mitigate the impacts of the vulnerabilities.

  • Place the product behind a firewall
  • Restrict access to the product only from the trusted network
  • Change the credential information from the initial configuration
  • Change credentials regularly

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

peishilong reported CVE-2023-27917 and CVE-2023-27389 to JPCERT/CC.
Contec CO.,LTD. examined peishilong's report and found CVE-2023-23575.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-27917
CVE-2023-27389
CVE-2023-23575
JVN iPedia

Update History

2023/04/11
Fixed the typo under the section [Products Affected].