Published:2022/09/01  Last Updated:2022/09/01

JVNVU#98305100
Multiple vulnerabilities in Contec FLEXLAN FX3000 and FX2000 series

Overview

FLEXLAN FX3000 and FX2000 series provided by Contec Co., Ltd. contain multiple vulnerabilities.

Products Affected

  • FLEXLAN FX3000 series
    • Firmware versions prior to ver.1.16.00
  • FLEXLAN FX2000 series
    • Firmware versions prior to ver.1.39.00
For more information, refer to the information provided by the developer.

Description

FLEXLAN FX3000 and FX2000 series provided by Contec Co., Ltd. contain multiple vulnerabilities listed below.

  • Hidden Functionality (CWE-912) - CVE-2022-36158
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.0
  • Use of Hard-coded Credentials (CWE-798) - CVE-2022-36159
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8

Impact

  • An attacker may execute an arbitrary OS command with an administrative privilege of the product - CVE-2022-36158
  • An attacker may access the product with an administrative privilege - CVE-2022-36159

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer has released the following versions that contain fixes for these vulnerabilities.

  • FLEXLAN FX3000 series
    • Firmware version ver.1.16.00
  • FLEXLAN FX2000 series
    • Firmware version ver.1.39.00

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia