IPA/ISEC : Vulnerabilities : Security Alert for I-O DATA DEVICE HDL-F Series Vulnerability

HOME >> IT Security >> Vulnerabilities >> Security Alert for I-O DATA DEVICE HDL-F Series Vulnerability

Security Alert for I-O DATA DEVICE HDL-F Series Vulnerability

November 26, 2008
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) announced a security alert on November 26, 2008 concerning a vulnerability for the I-O DATA DEVICE HDL-F Series.
This vulnerability causes users of the I-O DATA DEVICE HDL-F Series to experience unintended operations in their web administration window after viewing a malicious webpage. If exploited, involuntary procedures may occur, such as the administrative password of the product in question rewritten or the hard disk reformatted.
To fix this vulnerability, update firmware to the newest version.

1.Overview

I-O DATA DEVICE provides a LAN Disk, the HDL-F Series, which allows users to change the settings of functions through the web administration window.

However, the web administration window of the HDL-F Series is susceptible to cross-site request forgery (CSRF), which allows the attacker to perform unintended procedures after users of this product visit a malicious webpage.

For detailed information, please refer to the following URL:
http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000079.html

The IPA first received a report concerning this vulnerability through the creditee below on April 28, 2008, and the JCPERT Coordination Center (JCPERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on November 26, 2008.
Credit: Takayuki Ogiso

2.Impact

After viewing a malicious webpage, users of the I-O DATA DEVICE HDL-F Series may experience involuntary system operations, such as administrative password changes regarding the product in question and reformatting of the hard disk.

Security Alert for I-O DATA HDL-F Series Vulnerability

3.Solution

To fix this vulnerability, update the firmware to the newest version. I-O DATA provides the necessary information at the following
URL:http://www.iodata.jp/news/2008/important/hdl-f.htm (in Japanese)

4.CVSS Severity

(1)Evaluation Result

Severity Rating (CVSS base score)	□ Low (0.0~3.9)	□ Medium (4.0~6.9)	■ High (7.0~10.0)
CVSS base score			7.0

(2) Base Score Metrics

AV:Access Vector	□ Local	□ Adjacent 　Network	■ Network
AC:Access Complexity	■ High	□ Medium	□ Low
Au:Authentication	□ Multiple	□ Single	■ None
C:Confidentiality Impact	■ None	□ Partial	□ Complete
I:Integrity Impact	□ None	□ Partial	■ Complete
A:Availability Impact	□ None	□ Partial	■ Complete

■:Selected Values

5.CWE Type

The vulnerability has been CWE classified as a cross-site request forgery (CSRF) (CWE-352)

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail:

Top Page