Published:2024/08/30  Last Updated:2024/08/30

JVN#29238389
IPCOM vulnerable to information disclosure

Overview

SSL Accelerator/SSL-VPN Function of IPCOM provided by Fsas Technologies Inc. contains an information disclosure vulnerability.

Products Affected

  • IPCOM EX2 Series V01L02NF0001 to V01L06NF0401, V01L20NF0001 to V01L20NF0401, V02L20NF0001 to V02L21NF0301
  • IPCOM VE2 Series V01L04NF0001 to V01L06NF0112

Description

SSL Accelerator/SSL-VPN Function of IPCOM provided by Fsas Technologies Inc. contains an information disclosure vulnerability due to observable timing discrepancy (CWE-208).

Impact

Some of the encrypted communication may be decrypted by an attacker who can obtain the contents of the communication.

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Apply the workaround
Applying the following workaround may mitigate the impact of this vulnerability.

  • Disable the RSA key exchange cipher suite in the IPCOM cipher suite settings
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Fsas Technologies Inc. Vulnerable 2024/08/30 Fsas Technologies Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score: 5.9
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Fsas Technologies Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fsas Technologies Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-39921
JVN iPedia JVNDB-2024-000091