JVN#29238389
IPCOM vulnerable to information disclosure
Overview
SSL Accelerator/SSL-VPN Function of IPCOM provided by Fsas Technologies Inc. contains an information disclosure vulnerability.
Products Affected
- IPCOM EX2 Series V01L02NF0001 to V01L06NF0401, V01L20NF0001 to V01L20NF0401, V02L20NF0001 to V02L21NF0301
- IPCOM VE2 Series V01L04NF0001 to V01L06NF0112
Description
SSL Accelerator/SSL-VPN Function of IPCOM provided by Fsas Technologies Inc. contains an information disclosure vulnerability due to observable timing discrepancy (CWE-208).
Impact
Some of the encrypted communication may be decrypted by an attacker who can obtain the contents of the communication.
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
Apply the workaround
Applying the following workaround may mitigate the impact of this vulnerability.
- Disable the RSA key exchange cipher suite in the IPCOM cipher suite settings
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Fsas Technologies Inc. | Vulnerable | 2024/08/30 | Fsas Technologies Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Fsas Technologies Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fsas Technologies Inc. coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-39921 |
| JVN iPedia |
JVNDB-2024-000091 |