Published:2022/03/04  Last Updated:2022/03/04

JVN#33214411
i-FILTER vulnerable to improper check for certificate revocation

Overview

i-FILTER provided by Digital Arts Inc. is vulnerable to improper check for certificate revocation.

Products Affected

  • i-FILTER
    • Ver.10.45R01 and earlier
    • Ver.9.50R10 and earlier
  • i-FILTER Browser & Cloud MultiAgent for Windows Ver.4.93R04 and earlier
According to the developer, D-SPA (Ver.3 / Ver.4) using i-FILTER are affected as well.

Description

i-FILTER provided by Digital Arts Inc. is vulnerable to improper check for certificate revocation (CWE-299) .

Impact

A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.

Solution

Update the software and add settings
Update the software to the latest version according to the information provided by the developer.
After updating to the latest version, enable "Check certificate revocation" from i-FILTER's Management console [Option / SSL Adapter / Basic settings].

Vendor Status

Vendor Link
Digital Arts Inc. i-FILTER Ver.10 support (Text in Japanese, login required)
i-FILTER Ver.9 support (Text in Japanese, login required)
i-FILTER Browser & Cloud support (Text in Japanese, login required)
D-SPA Ver.4 support (Text in Japanese, login required)
D-SPA Ver.3 support (Text in Japanese, login required)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score: 4.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N
Base Score: 4.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Digital Arts Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Digital Arts Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-21170
JVN iPedia JVNDB-2022-000008