JVN#95727578
Fujitsu Real-time Video Transmission Gear "IP series" uses a hard-coded credentials
Overview
Real-time Video Transmission Gear "IP series" provided by Fujitsu Limited uses a hard-coded credentials.
Products Affected
- IP-HE950E firmware versions V01L001 to V01L053
- IP-HE950D firmware versions V01L001 to V01L053
- IP-HE900E firmware versions V01L001 to V01L010
- IP-HE900D firmware versions V01L001 to V01L004
- IP-900E / IP-920E firmware versions V01L001 to V02L061
- IP-900D / IP-900ⅡD / IP-920D firmware versions V01L001 to V02L061
- IP-90 firmware versions V01L001 to V01L013
- IP-9610 firmware versions V01L001 to V02L007
Description
Real-time Video Transmission Gear "IP series" provided by Fujitsu Limited uses a hard-coded credentials (CWE-798) .
The product's credentials for factory testing may be obtained by reverse engineering and others.
Impact
An attacker who log in to the web interface using the obtained credentials may initialize or reboot the products, and as a result, terminate the video transmission.
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
Apply a workaround
Applying a following workaround may mitigate the impacts of this vulnerability.
- Place the products on a secure network
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Fujitsu Limited | Vulnerable | 2023/07/26 | Fujitsu Limited website |
References
-
ICS Advisory | ICSA-23-248-01
Fujitsu Limited Real-time Video Transmission Gear "IP series"
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
Confidentiality impact is treated as the primary, and Integrity and Availability impacts are treated as the secondary impacts.
Credit
Fujitsu Limited reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fujitsu Limited coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2023-38433 |
| JVN iPedia |
JVNDB-2023-000074 |
Update History
- 2023/09/06
- Information under the section [References] was updated.