JVN#96561229
Multiple vulnerabilities in Operation management interface of FUJITSU Network IPCOM
Critical
Overview
Operation management interface of FUJITSU Network IPCOM provided by FUJITSU LIMITED contains multiple vulnerabilities.
Products Affected
- IPCOM EX2 series
- IPCOM EX series
- IPCOM VE2 series
- IPCOM VA2/VE1 series
Description
FUJITSU Network IPCOM provided by FUJITSU LIMITED is an integrated network appliance.
Operation management interface used to operate FUJITSU Network IPCOM contains multiple vulnerabilities listed below.
- OS command injection in the web console (CWE-78) - CVE-2022-29516
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8 CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0 - Buffer overflow in the Command Line Interface (CWE-120) - CVE-2020-10188
The product uses previous versions of netkit-telnet which contains a known vulnerability.CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8 CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0
Impact
- A remote attacker may execute an arbitrary OS command.
- A remote attacker may obtain and/or alter sensitive information.
- A remote attackerr may be able to cause a denial-of-service (DoS).
Solution
Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.
These vulnerabilities have been already addressed in the following firmware versions.
- IPCOM EX2 V01L05 NF0501
- IPCOM EX2 V01L20 NF0301
- IPCOM EX2 V02L21 NF0201
- IPCOM EX E20L33 NF1101
- IPCOM EX E30L11 NF0501
- IPCOM VE2 V01L05 NF0303
- IPCOM VA2/VE1 E20L33 NF0902
Apply one of the following workarounds to prevent unauthorized access from other than authorized Operation management terminal:
- Prepare a dedicated network to deploy Operation management interface and allow access to the Operation management interface only from the network
- Set individual permissions for Operation management terminal
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| FUJITSU LIMITED | Vulnerable | 2022/06/16 | FUJITSU LIMITED website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
FUJITSU LIMITED reported these vulnerabilities to IPA to notify users of its solution through JVN. JPCERT/CC and FUJITSU LIMITED coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
JPCERT-AT-2022-0013 Alert Regarding Vulnerabilities in Operation management interface of FUJITSU Network IPCOM |
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2022-29516 |
|
CVE-2020-10188 |
|
| JVN iPedia |
JVNDB-2022-000030 |
Update History
- 2022/05/09
- Information under the section [Other Information] was updated.
- 2022/05/19
- Information under the section [Solution] was updated.
- 2022/05/30
- Information under the section [Solution] was updated.
- 2022/06/03
- Information under the section [Solution] was updated.
- 2022/06/10
- Information under the section [Solution] was updated.
- 2022/06/16
- Information under the section [Solution] was updated.
- 2022/06/16
- FUJITSU LIMITED update status