Published:2022/08/22  Last Updated:2022/08/22

JVNVU#98291763
PLANEX MZK-DP150N contains hidden administrative functionality

Overview

MZK-DP150N provided by PLANEX COMMUNICATIONS INC. contains a hidden administrative screen.

Products Affected

  • MZK-DP150N v1.43 and earlier

Description

MZK-DP150N provided by PLANEX COMMUNICATIONS INC. contains a hidden administrative screen (CVE-2021-37289, CWE-912).

Impact

A user who can log in to the configuration screen may execute arbitrary OS commands with the administrative privilege.

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer has released MZK-DP150N v1.44 which fixes this vulnerability.

Vendor Status

References

JPCERT/CC Addendum

In the initial settings of the product, the login account for the configuration screen is common to all products.
Please change the account information from the initial settings before using it.

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score: 6.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia