Published:2022/05/09  Last Updated:2022/05/19

JVN#96561229
Multiple vulnerabilities in Operation management interface of FUJITSU Network IPCOM
Critical

Overview

Operation management interface of FUJITSU Network IPCOM provided by FUJITSU LIMITED contains multiple vulnerabilities.

Products Affected

  • IPCOM EX2 series
  • IPCOM EX series
  • IPCOM VE2 series
  • IPCOM VA2/VE1 series

Description

FUJITSU Network IPCOM provided by FUJITSU LIMITED is an integrated network appliance.
Operation management interface used to operate FUJITSU Network IPCOM contains multiple vulnerabilities listed below.

  • OS command injection in the web console (CWE-78) - CVE-2022-29516
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0
  • Buffer overflow in the Command Line Interface (CWE-120) - CVE-2020-10188
    The product uses previous versions of netkit-telnet which contains a known vulnerability.
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0

Impact

  • A remote attacker may execute an arbitrary OS command.
  • A remote attacker may obtain and/or alter sensitive information.
  • A remote attackerr may be able to cause a denial-of-service (DoS).

Solution

Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.
These vulnerabilities have been already addressed in the following firmware versions.

  • IPCOM EX2 V01L05 NF0501
  • IPCOM EX E20L33 NF1101
  • IPCOM VE2 V01L05 NF0303
Apply the Workaround
Apply one of the following workarounds to prevent unauthorized access from other than authorized Operation management terminal:
  • Prepare a dedicated network to deploy Operation management interface and allow access to the Operation management interface only from the network
  • Set individual permissions for Operation management terminal
For more information, refer to the information provided by the developer. (Text in Japanese)

Vendor Status

Vendor Status Last Update Vendor Notes
FUJITSU LIMITED Vulnerable, investigating 2022/05/09 FUJITSU LIMITED website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

FUJITSU LIMITED reported these vulnerabilities to IPA to notify users of its solution through JVN. JPCERT/CC and FUJITSU LIMITED coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert JPCERT-AT-2022-0013
Alert Regarding Vulnerabilities in Operation management interface of FUJITSU Network IPCOM
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-29516
CVE-2020-10188
JVN iPedia JVNDB-2022-000030

Update History

2022/05/09
Information under the section [Other Information] was updated.
2022/05/19
Information under the section [Solution] was updated.