Published:2023/07/26  Last Updated:2023/09/06

JVN#95727578
Fujitsu Real-time Video Transmission Gear "IP series" uses a hard-coded credentials

Overview

Real-time Video Transmission Gear "IP series" provided by Fujitsu Limited uses a hard-coded credentials.

Products Affected

  • IP-HE950E firmware versions V01L001 to V01L053
  • IP-HE950D firmware versions V01L001 to V01L053
  • IP-HE900E firmware versions V01L001 to V01L010
  • IP-HE900D firmware versions V01L001 to V01L004
  • IP-900E / IP-920E firmware versions V01L001 to V02L061
  • IP-900D / IP-900ⅡD / IP-920D firmware versions V01L001 to V02L061
  • IP-90 firmware versions V01L001 to V01L013
  • IP-9610 firmware versions V01L001 to V02L007

Description

Real-time Video Transmission Gear "IP series" provided by Fujitsu Limited uses a hard-coded credentials (CWE-798) .
The product's credentials for factory testing may be obtained by reverse engineering and others.

Impact

An attacker who log in to the web interface using the obtained credentials may initialize or reboot the products, and as a result, terminate the video transmission.

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Apply a workaround
Applying a following workaround may mitigate the impacts of this vulnerability.

  • Place the products on a secure network

Vendor Status

Vendor Status Last Update Vendor Notes
Fujitsu Limited Vulnerable 2023/07/26 Fujitsu Limited website

References

  1. ICS Advisory | ​​ICSA-23-248-01
    Fujitsu Limited Real-time Video Transmission Gear "IP series"

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score: 5.9
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:N/A:N
Base Score: 2.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

Confidentiality impact is treated as the primary, and Integrity and Availability impacts are treated as the secondary impacts.

Credit

Fujitsu Limited reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fujitsu Limited coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-38433
JVN iPedia JVNDB-2023-000074

Update History

2023/09/06
Information under the section [References] was updated.