Published:2023/08/04  Last Updated:2023/08/04

JVN#38847224
Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext

Overview

Fujitsu Software Infrastructure Manager (ISM) provided by Fujitsu Limited, with a certain configuration, stores sensitive information in cleartext form.

Products Affected

  • Fujitsu Software Infrastructure Manager Advanced Edition V2.8.0.060
  • Fujitsu Software Infrastructure Manager Advanced Edition for PRIMEFLEX V2.8.0.060
  • Fujitsu Software Infrastructure Manager Essential Edition V2.8.0.060

Description

Fujitsu Software Infrastructure Manager (ISM) V2.8.0.060, provided by Fujitsu Limited, stores the password for the proxy server in cleartext form to the product's maintenance data (ismsnap) (CWE-312) under the following conditions.

  • Using a proxy server that requires authentication in the connection from ISM to internet
  • The user ID and/or the password for the proxy server contain "\" (backslash) character
  • The product's firmware download function is enabled (*)
    * This is a function for the Europe Region and is disabled by default

Impact

The password for the proxy server that is configured in ISM may be retrieved from the maintenance data.

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released V2.8.0.061 to fix this vulnerability.

Apply the Workarounds
Applying the following workarounds may mitigate the impact of this vulnerability.

  • Use a user ID and/or a password for the proxy server not including "\" (backslash) character, when downloading firmware
  • Store the maintenance data in a trusted location, and delete when unnecessary

Vendor Status

Vendor Status Last Update Vendor Notes
Fujitsu Limited Vulnerable 2023/08/04 Fujitsu Limited website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Base Score: 5.9
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:M/Au:S/C:P/I:N/A:N
Base Score: 1.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

The analysis assumes that an attacker directs the administrator to collect maintenance data.

Credit

Fujitsu Limited reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fujitsu Limited coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-39379
JVN iPedia JVNDB-2023-000077