Published:2010/04/19  Last Updated:2010/04/21

JVN#87730223
Multiple Cybozu products vulnerable to authentication bypass

Overview

Multiple Cybozu products contain an authentication bypass vulnerability.

Products Affected

  • Cybozu (R) Office 7 Ktai
  • Cybozu (R) .(dot) sales

Description

Multiple Cybozu products contain an issue in which the login page for mobile devices is not properly restrcited, leading to an authentication bypass vulnerability. As a result, an attacker may impersonate a user of a Cybozu product.

Impact

A remote attacker may view or modify information stored by the product.

Solution

Apply IP address restriction
Using one of the following methods, restrict access only to mobile device IP addresses:

  • Apply the restriction settings on the server in which the product is installed
  • Use "Cybozu Remote Service" available from the developer
Update the Software
Update to the latest version according to the information provided by the developer.

References

  1. IPA
    Security Alert for Vulnerability in Multiple Cybozu Products

JPCERT/CC Addendum

According to the developer, in Cybozu Office 8 when the user ID/password is changed for mobile device login, the URL that was used to login will no longer work. The developer is recommending updating the software version and notfying its users to change their user ID/password periodically.

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2010-2029
JVN iPedia JVNDB-2010-000016

Update History