Published:2023/01/06  Last Updated:2023/01/06

JVN#55675303
Digital Arts m-FILTER vulnerable to improper authentication

Overview

m-FILTER provided by Digital Arts Inc. contains an improper implementation in the authentication process of sending emails.

Products Affected

  • m-FILTER prior to Ver.5.70R01 (Ver.5 Series)
  • m-FILTER prior to Ver.4.87R04 (Ver.4 Series)
The developer states that m-FILTER@Cloud had been affected by this vulnerability as well.

Description

m-FILTER provided by Digital Arts Inc. is an emaill security product.
m-FILTER contains an improper authentication vulnerability (CWE-287) when emails are being sent under certain conditions, and unintended emails may be sent by a remote attacker.

Digital Arts Inc. states that attacks exploiting this vulnerability have been observed.

Impact

Exploiting this vulnerability may result in the impacts listed below.

  • The source IP address is blacklisted and emails cannot be sent
  • If the archive function is being used, sent unsolicited emails are archived and the disk space is oppressed

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
The developer has released the following versions to fix the vulnerability.

  • m-FILTER Ver.5.70R01 (Ver.5 Series)
  • m-FILTER Ver.4.87R04 (Ver.4 Series)
The issue in m-FILTER@Cloud is already fixed with the update on December 23, 2022.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:N/A:P
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Digital Arts Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Digital Arts Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-22278
JVN iPedia JVNDB-2023-000002