CVE-2023-42771 - Vulnerability Details - OpenCVE

Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Furunosystems	Acera 1310 Acera 1310 Firmware Acera 1320 Acera 1320 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:furunosystems:acera_1310_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:furunosystems:acera_1310:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:furunosystems:acera_1320_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:furunosystems:acera_1320:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://jvn.jp/en/vu/JVNVU94497038/
https://www.furunosystems.co.jp/news/info/vulner20231002.html

History

Fri, 20 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-288
CPEs		cpe:2.3:o:furunosystems:acera_1310_firmware:-:::::::* cpe:2.3:o:furunosystems:acera_1320_firmware:-:::::::*
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}`

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2023-10-03T00:17:00.358Z

Updated: 2024-09-20T13:36:28.745Z

Reserved: 2023-09-22T04:36:33.436Z

Link: CVE-2023-42771

Vulnrichment

Updated: 2024-08-02T19:30:24.335Z

NVD

Status : Modified

Published: 2023-10-03T01:15:56.967

Modified: 2024-11-21T08:23:07.800

Link: CVE-2023-42771

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42771", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2023-09-22T04:36:33.436Z", "datePublished": "2023-10-03T00:17:00.358Z", "dateUpdated": "2024-09-20T13:36:28.745Z"}, "containers": {"cna": {"affected": [{"vendor": "FURUNO SYSTEMS Co.,Ltd.", "product": "ACERA 1320", "versions": [{"version": "firmware ver.01.26 and earlier", "status": "affected"}]}, {"vendor": "FURUNO SYSTEMS Co.,Ltd.", "product": "ACERA 1310", "versions": [{"version": "firmware ver.01.26 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode."}], "problemTypes": [{"descriptions": [{"description": "Authentication bypass", "lang": "en", "type": "text"}]}], "references": [{"url": "https://www.furunosystems.co.jp/news/info/vulner20231002.html"}, {"url": "https://jvn.jp/en/vu/JVNVU94497038/"}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2023-10-03T00:17:00.358Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:30:24.335Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.furunosystems.co.jp/news/info/vulner20231002.html", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/vu/JVNVU94497038/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-288", "lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "affected": [{"vendor": "furunosystems", "product": "acera_1320_firmware", "cpes": ["cpe:2.3:o:furunosystems:acera_1320_firmware:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "01.26", "versionType": "custom"}]}, {"vendor": "furunosystems", "product": "acera_1310_firmware", "cpes": ["cpe:2.3:o:furunosystems:acera_1310_firmware:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "01.26", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-20T13:36:23.487612Z", "id": "CVE-2023-42771", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T13:36:28.745Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.furunosystems.co.jp/news/info/vulner20231002.html", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/vu/JVNVU94497038/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:30:24.335Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-42771", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-20T13:36:23.487612Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:furunosystems:acera_1320_firmware:-:*:*:*:*:*:*:*"], "vendor": "furunosystems", "product": "acera_1320_firmware", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "01.26"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:furunosystems:acera_1310_firmware:-:*:*:*:*:*:*:*"], "vendor": "furunosystems", "product": "acera_1310_firmware", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "01.26"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T13:36:13.884Z"}}], "cna": {"affected": [{"vendor": "FURUNO SYSTEMS Co.,Ltd.", "product": "ACERA 1320", "versions": [{"status": "affected", "version": "firmware ver.01.26 and earlier"}]}, {"vendor": "FURUNO SYSTEMS Co.,Ltd.", "product": "ACERA 1310", "versions": [{"status": "affected", "version": "firmware ver.01.26 and earlier"}]}], "references": [{"url": "https://www.furunosystems.co.jp/news/info/vulner20231002.html"}, {"url": "https://jvn.jp/en/vu/JVNVU94497038/"}], "descriptions": [{"lang": "en", "value": "Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Authentication bypass"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2023-10-03T00:17:00.358Z"}}}, "cveMetadata": {"cveId": "CVE-2023-42771", "state": "PUBLISHED", "dateUpdated": "2024-09-20T13:36:28.745Z", "dateReserved": "2023-09-22T04:36:33.436Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2023-10-03T00:17:00.358Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:furunosystems:acera_1310_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FFEB8A0-F2DE-4C34-8C93-BDC2D903BE64", "versionEndIncluding": "01.26", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:furunosystems:acera_1310:-:*:*:*:*:*:*:*", "matchCriteriaId": "D97D14B5-1763-44C0-8EED-A3F787A97A8C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:furunosystems:acera_1320_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F94D3C1-940A-4A09-B99B-9BB79B73EA63", "versionEndIncluding": "01.26", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:furunosystems:acera_1320:-:*:*:*:*:*:*:*", "matchCriteriaId": "09DD97A0-77E2-4BC6-A8EC-7BEF65B75E0C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en el firmware ACERA 1320 versi\u00f3n 01.26 y anteriores, y en el firmware ACERA 1310 versi\u00f3n 01.26 y anteriores, permite que un atacante no autenticado adyacente a la red que puede acceder al producto afectado descargue archivos de configuraci\u00f3n y/o archivos de registro, y cargue archivos de configuraci\u00f3n y /o firmware. Se ven afectados cuando se ejecutan en modo ST (independiente)."}], "id": "CVE-2023-42771", "lastModified": "2024-11-21T08:23:07.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-10-03T01:15:56.967", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/vu/JVNVU94497038/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.furunosystems.co.jp/news/info/vulner20231002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/vu/JVNVU94497038/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.furunosystems.co.jp/news/info/vulner20231002.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-288"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}