JVNVU#98291763
PLANEX MZK-DP150N contains hidden administrative functionality
Overview
MZK-DP150N provided by PLANEX COMMUNICATIONS INC. contains a hidden administrative screen.
Products Affected
- MZK-DP150N v1.43 and earlier
Description
MZK-DP150N provided by PLANEX COMMUNICATIONS INC. contains a hidden administrative screen (CVE-2021-37289, CWE-912).
Impact
A user who can log in to the configuration screen may execute arbitrary OS commands with the administrative privilege.
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer has released MZK-DP150N v1.44 which fixes this vulnerability.
Vendor Status
Vendor | Link |
PLANEX COMMUNICATIONS INC. | MZK-DP150N (Text in Japanese) |
DOWNLOAD MZK-DP150N (Text in Japanese) |
References
JPCERT/CC Addendum
In the initial settings of the product, the login account for the configuration screen is common to all products.
Please change the account information from the initial settings before using it.
Vulnerability Analysis by JPCERT/CC
Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
---|---|---|---|---|
Attack Complexity(AC) | High (H) | Low (L) | ||
Privileges Required(PR) | High (H) | Low (L) | None (N) | |
User Interaction(UI) | Required (R) | None (N) | ||
Scope(S) | Unchanged (U) | Changed (C) | ||
Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
Integrity Impact(I) | None (N) | Low (L) | High (H) | |
Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.