NVD Vulnerability Detail

CVE-2024-39921

Summary	Observable timing discrepancy issue exists in IPCOM EX2 Series V01L02NF0001 to V01L06NF0401, V01L20NF0001 to V01L20NF0401, V02L20NF0001 to V02L21NF0301, and IPCOM VE2 Series V01L04NF0001 to V01L06NF0112. If this vulnerability is exploited, some of the encrypted communication may be decrypted by an attacker who can obtain the contents of the communication.
Publication Date	Sept. 4, 2024, 12:15 p.m.
Registration Date	Sept. 4, 2024, 4 p.m.
Last Update	Sept. 19, 2024, 11:59 p.m.

CVSS3.1 : HIGH
スコア	7.5
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	なし
可用性への影響(A)	なし

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_ls_100_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_ls_100:-:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_ls_200_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_ls_200:-:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_ls_220_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_ls_220:-:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_ls_plus_100_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_ls_plus_100:-:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_ls_plus_200_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_ls_plus_200:-:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_ls_plus_220_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_ls_plus_220:-:::::::*

Configuration7		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_ls_plus2_200_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_ls_plus2_200:-:::::::*

Configuration8		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_ls_plus2_220_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_ls_plus2_220:-:::::::*

Configuration9		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_sc_plus_100_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_sc_plus_100:-:::::::*

Configuration10		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_sc_plus_200_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_sc_plus_200:-:::::::*

Configuration11		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ve2_sc_plus_220_firmware::::::::		v01l04nf0001	v01l06nf0112
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ve2_sc_plus_220:-:::::::*

Configuration12		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ex2_in_3200_firmware::::::::		v01l02nf0001	v01l06nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_in_3200_firmware::::::::		v01l20nf0001	v01l20nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_in_3200_firmware::::::::		v02l20nf0001	v02l21nf0301
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ex2_in_3200:-:::::::*

Configuration13		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ex2_in_3500_firmware::::::::		v01l02nf0001	v01l06nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_in_3500_firmware::::::::		v01l20nf0001	v01l20nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_in_3500_firmware::::::::		v02l20nf0001	v02l21nf0301
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ex2_in_3500:-:::::::*

Configuration14		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ex2_lb_3200_firmware::::::::		v01l02nf0001	v01l06nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_lb_3200_firmware::::::::		v01l20nf0001	v01l20nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_lb_3200_firmware::::::::		v02l20nf0001	v02l21nf0301
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ex2_lb_3200:-:::::::*

Configuration15		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ex2_lb_3500_firmware::::::::		v01l02nf0001	v01l06nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_lb_3500_firmware::::::::		v01l20nf0001	v01l20nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_lb_3500_firmware::::::::		v02l20nf0001	v02l21nf0301
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ex2_lb_3500:-:::::::*

Configuration16		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ex2_sc_3200_firmware::::::::		v01l02nf0001	v01l06nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_sc_3200_firmware::::::::		v01l20nf0001	v01l20nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_sc_3200_firmware::::::::		v02l20nf0001	v02l21nf0301
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ex2_sc_3200:-:::::::*

Configuration17		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ex2_sc_3500_firmware::::::::		v01l02nf0001	v01l06nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_sc_3500_firmware::::::::		v01l20nf0001	v01l20nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_sc_3500_firmware::::::::		v02l20nf0001	v02l21nf0301
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ex2_sc_3500:-:::::::*

Configuration18		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ex2_dc_3200_firmware::::::::		v01l02nf0001	v01l06nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_dc_3200_firmware::::::::		v01l20nf0001	v01l20nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_dc_3200_firmware::::::::		v02l20nf0001	v02l21nf0301
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ex2_dc_3200:-:::::::*

Configuration19		or higher	or less	more than	less than
cpe:2.3:o:fujitsu:ipcom_ex2_dc_3500_firmware::::::::		v01l02nf0001	v01l06nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_dc_3500_firmware::::::::		v01l20nf0001	v01l20nf0401
cpe:2.3:o:fujitsu:ipcom_ex2_dc_3500_firmware::::::::		v02l20nf0001	v02l21nf0301
execution environment
1	cpe:2.3:h:fujitsu:ipcom_ex2_dc_3500:-:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	https://www.fujitsu.com/jp/products/network/support/2024/ipcom-04/		Mitigation Vendor Advisory
2	https://jvn.jp/en/jp/JVN29238389/		Mitigation Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-203	セキュリティ関連の処理に対するレスポンスの違いに起因する情報漏えい	https://cwe.mitre.org/data/definitions/203.html

JVN Vulnerability Information

IPCOMにおける処理時間の相違に起因する情報漏えいの脆弱性

Title	IPCOMにおける処理時間の相違に起因する情報漏えいの脆弱性
Summary	エフサステクノロジーズ株式会社が提供するIPCOMのSSLアクセラレータ機能およびSSL-VPN機能には、処理時間の相違に起因する情報漏えいの脆弱性（CWE-208）が存在します。この脆弱性情報は、製品利用者への周知を目的に、開発者がJPCERT/CCに報告し、JPCERT/CCが開発者との調整を行いました。
Possible impacts	通信内容を取得可能な攻撃者によって、暗号通信の一部が解読される可能性があります。
Solution	[アップデートする] 開発者が提供する情報をもとに、ファームウェアを最新版へアップデートしてください。 [ワークアラウンドを実施する] 以下の回避策を適用することで、本脆弱性の影響を回避することができます。・IPCOMの暗号スイートの設定にて、RSA鍵交換の暗号スイートを無効にする詳細は、開発者が提供する情報をご確認ください。
Publication Date	Aug. 30, 2024, midnight
Registration Date	Aug. 30, 2024, 2:23 p.m.
Last Update	Aug. 30, 2024, 2:23 p.m.

Affected System

エフサステクノロジーズ株式会社

IPCOM EX2シリーズ V01L02NF0001からV01L06NF0401まで、V01L20NF0001からV01L20NF0401まで、V02L20NF0001からV02L21NF0301まで

IPCOM VE2シリーズ V01L04NF0001からV01L06NF0112まで

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-39921	https://www.cve.org/CVERecord?id=CVE-2024-39921

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
エフサステクノロジーズ株式会社
1	IPCOM製品のSSLアクセラレータ/SSL-VPN機能における脆弱性について	https://www.fujitsu.com/jp/products/network/support/2024/ipcom-04/index.html

その他

No	Name	URL
JVN
1	JVN#29238389	https://jvn.jp/jp/JVN29238389/index.html

Change Log

No	Changed Details	Date of change
1	[2024年08月30日] 掲載	Aug. 28, 2024, 4:20 p.m.