Published:2023/06/16  Last Updated:2023/06/16

JVN#19748237
Multiple vulnerabilities in Panasonic AiSEG2

Overview

Panasonic AiSEG2 contains multiple vulnerabilities.

Products Affected

CVE-2023-28726

  • AiSEG2 firmware Ver. 2.80F to 2.93A
CVE-2023-28727
  • AiSEG2 firmware Ver. 2.00J to 2.93A

Description

Panasonic AiSEG2 contains multiple vulnerabilities listed below.

  • OS Command Injection (CWE-78) - CVE-2023-28726
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.5
    CVSS v2 AV:N/AC:H/Au:S/C:C/I:C/A:C Base Score: 7.1
  • Improper Authentication (CWE-287) - CVE-2023-28727
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Base Score: 9.6
    CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:P Base Score: 5.8

Impact

  • A remote attacker who can login to the product may execute an arbitrary OS command - CVE-2023-28726
  • A network-adjacent attacker may bypass authentication for the product - CVE-2023-28727

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Taku Toyama of NEC Corporation reported CVE-2023-28726 and CVE-2023-28727 vulnerabilities to Panasonic and coordinated. Panasonic and JPCERT/CC published respective advisories in order to notify users of the vulnerabilities.

Yota Egusa of SAKURA internet Inc. reported CVE-2023-28727 vulnerability to IPA. JPCERT/CC coordinated with Panasonic under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-28726
CVE-2023-28727
JVN iPedia JVNDB-2023-000063