Vulnerabilites related to Safie Inc. - Safie One
jvndb-2024-000086
Vulnerability from jvndb
Published
2024-08-22 13:51
Modified
2024-08-29 12:23
Severity ?
Summary
Multiple Safie products vulnerable to improper server certificate verification
Details
Multiple Safie products are vulnerable to improper server certificate verification (CWE-295).
The product can be operated via port 11029/TCP and Bluetooth, and its communications are AES encrypted. The product user can obtain the encryption key from the cloud server based on the device-specific information. The user who has obtained the device-specific information can directly operate the device (even if it is not owned by the user).
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN83440451/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-39771 | |
| No Mapping(CWE-Other) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Safie Inc. | QBiC CLOUD CC-2L | |
| Safie Inc. | Safie One |
{ "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000086.html", "dc:date": "2024-08-29T12:23+09:00", "dcterms:issued": "2024-08-22T13:51+09:00", "dcterms:modified": "2024-08-29T12:23+09:00", description: "Multiple Safie products are vulnerable to improper server certificate verification (CWE-295).\r\nThe product can be operated via port 11029/TCP and Bluetooth, and its communications are AES encrypted. The product user can obtain the encryption key from the cloud server based on the device-specific information. The user who has obtained the device-specific information can directly operate the device (even if it is not owned by the user).\r\n\r\nTaizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.", link: "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000086.html", "sec:cpe": [ { "#text": "cpe:/a:misc:safie_qbic_cloud_cc-2l", "@product": "QBiC CLOUD CC-2L", "@vendor": "Safie Inc.", "@version": "2.2", }, { "#text": "cpe:/a:misc:safie_safie_one", "@product": "Safie One", "@vendor": "Safie Inc.", "@version": "2.2", }, ], "sec:cvss": { "@score": "4.2", "@severity": "Medium", "@type": "Base", "@vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "@version": "3.0", }, "sec:identifier": "JVNDB-2024-000086", "sec:references": [ { "#text": "https://jvn.jp/en/jp/JVN83440451/index.html", "@id": "JVN#83440451", "@source": "JVN", }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2024-39771", "@id": "CVE-2024-39771", "@source": "CVE", }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-Other", "@title": "No Mapping(CWE-Other)", }, ], title: "Multiple Safie products vulnerable to improper server certificate verification", }
cve-2024-39771
Vulnerability from cvelistv5
Published
2024-08-28 05:54
Modified
2024-10-28 20:38
Severity ?
EPSS score ?
Summary
QBiC CLOUD CC-2L v1.1.30 and earlier and Safie One v1.8.2 and earlier do not properly validate certificates, which may allow a network-adjacent unauthenticated attacker to obtain and/or alter communications of the affected product via a man-in-the-middle attack.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Safie Inc. | QBiC CLOUD CC-2L |
Version: v1.1.30 and earlier |
||||||
|
|||||||||
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-39771", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-28T13:20:59.966391Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-295", description: "CWE-295 Improper Certificate Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-28T20:38:01.709Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "QBiC CLOUD CC-2L", vendor: "Safie Inc.", versions: [ { status: "affected", version: "v1.1.30 and earlier", }, ], }, { product: "Safie One", vendor: "Safie Inc.", versions: [ { status: "affected", version: "v1.8.2 and earlier", }, ], }, ], descriptions: [ { lang: "en", value: "QBiC CLOUD CC-2L v1.1.30 and earlier and Safie One v1.8.2 and earlier do not properly validate certificates, which may allow a network-adjacent unauthenticated attacker to obtain and/or alter communications of the affected product via a man-in-the-middle attack.", }, ], problemTypes: [ { descriptions: [ { description: "Improper certificate validation", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-28T05:54:05.967Z", orgId: "ede6fdc4-6654-4307-a26d-3331c018e2ce", shortName: "jpcert", }, references: [ { url: "https://safie.jp/information/post_6933/", }, { url: "https://jvn.jp/en/jp/JVN83440451/", }, ], }, }, cveMetadata: { assignerOrgId: "ede6fdc4-6654-4307-a26d-3331c018e2ce", assignerShortName: "jpcert", cveId: "CVE-2024-39771", datePublished: "2024-08-28T05:54:05.967Z", dateReserved: "2024-08-15T04:38:04.405Z", dateUpdated: "2024-10-28T20:38:01.709Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }