JVN#58774946
FileZen vulnerable to OS command injection
Critical
Overview
FileZen provided by Soliton Systems K.K. contains an OS command injection vulnerability.
Products Affected
- FileZen versions from V3.0.0 to V4.2.7
- FileZen versions from V5.0.0 to V5.0.2
Description
FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface.
FileZen contains an OS command injection vulnerability (CWE-78).
Impact
A remote attacker who obtained the administrative account of this product may execute an arbitrary OS command.
Solution
Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been already addressed in the following firmware versions.
- FileZen V4.2.8
- FileZen V5.0.3
Apply workarounds
Applying workarounds may mitigate the impacts of this vulnerability.
The developer recommends applying following mitigations to this product.
- Disabe the initial administrator account "admin"
- Change the System Administrator account's ID and Password
- Set the System Administrator account to prevent log on from the internet
For more information, refer to the information provided by the developer (in Japanese).
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Soliton Systems K.K. | Vulnerable | 2021/03/05 | Soliton Systems K.K. website |
References
-
Information-technology Promotion Agency, Japan (IPA)
Regarding OS Command Injection vulnerability in FileZen (JVN#58774946) (in Japanese)
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Soliton Systems K.K. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
JPCERT-AT-2021-0009 Alert Regarding Vulnerability (CVE-2021-20655) in FileZen |
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20655 |
| JVN iPedia |
JVNDB-2021-000015 |
Update History
- 2021/02/16
- Information under the section "References" and "Other Information" was updated.
- 2021/03/05
- Information under the section "Solution" was updated.
- 2021/03/05
- Soliton Systems K.K. update status