Published:2024/04/01  Last Updated:2024/04/01

JVNVU#99285099
FURUNO SYSTEMS Managed Switch ACERA 9010 running in non MS mode with the initial configuration has no password

Overview

The initial configuration of Managed Switch ACERA 9010 provided by FURUNO SYSTEMS Co.,Ltd. contains no password, and the remote access service is enabled.
It is affected only when running in non MS mode.

Products Affected

  • ACERA 9010-08 firmware v02.04 and earlier
  • ACERA 9010-24 firmware v02.04 and earlier
According to the developer, they are not affected when running in MS mode (in this mode, the device is managed by a UNIFAS server).

Description

In the initial configuration of Managed Switch ACERA 9010 provided by FURUNO Systems Co., Ltd., the password is empty (CWE-258) and the remote access service is enabled.

The products are affected only when running in non MS mode with the initial configuration.

Impact

An unauthenticated attacker may log in to the product with no password, and obtain and/or alter information such as network configuration and user information.

Solution

Set a password using CLI commands, if the affected product is used without configuring any password.
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Link
FURUNO SYSTEMS Co.,Ltd. Alert to ACERA 9010 Users (running in non MS mode) - Configure Password and Remote Access Service (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

FURUNO SYSTEMS Co.,Ltd. reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-28744
JVN iPedia