Headline
CVE-2023-38555: Fujitsu network devices Si-R series and SR-M series vulnerable to authentication bypass
Authentication bypass vulnerability in Fujitsu network devices Si-R series and SR-M series allows a network-adjacent unauthenticated attacker to obtain, change, and/or reset configuration settings of the affected products. Affected products and versions are as follows: Si-R 30B all versions, Si-R 130B all versions, Si-R 90brin all versions, Si-R570B all versions, Si-R370B all versions, Si-R220D all versions, Si-R G100 V02.54 and earlier, Si-R G200 V02.54 and earlier, Si-R G100B V04.12 and earlier, Si-R G110B V04.12 and earlier, Si-R G200B V04.12 and earlier, Si-R G210 V20.52 and earlier, Si-R G211 V20.52 and earlier, Si-R G120 V20.52 and earlier, Si-R G121 V20.52 and earlier, and SR-M 50AP1 all versions.
Published:2023/07/26 Last Updated:2023/07/26
Overview
Multiple network devices Si-R series and SR-M series provided by Fujitsu Limited contain an authentication bypass vulnerability.
Products Affected
- Si-R series
- Si-R 30B all versions
- Si-R 130B all versions
- Si-R 90brin all versions
- Si-R V35 series
- Si-R570B all versions
- Si-R370B all versions
- Si-R220D all versions
- Si-RG V2 series
- Si-R G100 V02.54 and earlier
- Si-R G200 V02.54 and earlier
- Si-RG V4 series
- Si-R G100B V04.12 and earlier
- Si-R G110B V04.12 and earlier
- Si-R G200B V04.12 and earlier
- Si-RG V20 series
- Si-R G210 V20.52 and earlier
- Si-R G211 V20.52 and earlier
- Si-R G120 V20.52 and earlier
- Si-R G121 V20.52 and earlier
- SR-M series
- SR-M 50AP1 all versions
Description
The web management interface of Fujitsu network devices Si-R series and SR-M series contains an authentication bypass vulnerability (CWE-287、CVE-2023-38555).
Impact
An attacker who can access the product may obtain the product’s configuration information or change/reset the configuration settings.
Solution
Update the firmware
Update firmware to the latest version according to the information provided by the developer.
The developer plans to publish updates for Si-RG V2 series, Si-RG V4 series, and Si-RG V20 series in August 2023.
Apply the workarounds
Applying the following workarounds may mitigate the impacts of this vulnerability.
- Change the product’s settings to disable HTTP/HTTPS functions
- Do not use the web management interface of the affected products
To apply the workaround for Si-R 30B or Si-R 130B, the firmware must be updated to the following versions.
- Si-R 30B V02.05
- Si-R 130B V04.09
For the details, refer to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector(AV)
Physical §
Local (L)
Adjacent (A)
Network (N)
Attack Complexity(AC)
High (H)
Low (L)
Privileges Required(PR)
High (H)
Low (L)
None (N)
User Interaction(UI)
Required ®
None (N)
Scope(S)
Unchanged (U)
Changed ©
Confidentiality Impact©
None (N)
Low (L)
High (H)
Integrity Impact(I)
None (N)
Low (L)
High (H)
Availability Impact(A)
None (N)
Low (L)
High (H)
CVSS v2 AV:A/AC:H/Au:N/C:P/I:C/A:P
Access Vector(AV)
Local (L)
Adjacent Network (A)
Network (N)
Access Complexity(AC)
High (H)
Medium (M)
Low (L)
Authentication(Au)
Multiple (M)
Single (S)
None (N)
Confidentiality Impact©
None (N)
Partial §
Complete ©
Integrity Impact(I)
None (N)
Partial §
Complete ©
Availability Impact(A)
None (N)
Partial §
Complete ©
Credit
Katsuhiko Sato (a.k.a. goroh_kun) of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
CVE-2023-38555
JVN iPedia