Fujifilm FCR Carbon X/FCR Capsula X/FCR XC-2 Telnet Service access control

Summaryinfo

A vulnerability identified as critical has been detected in Fujifilm FCR Carbon X, FCR Capsula X and FCR XC-2. Affected by this issue is some unknown functionality of the component Telnet Service. The manipulation leads to access control. This vulnerability is listed as CVE-2019-10950. The attack may be initiated remotely. In addition, an exploit is available. You should change the configuration settings.

Detailsinfo

A vulnerability, which was classified as very critical, has been found in Fujifilm FCR Carbon X, FCR Capsula X and FCR XC-2 (Medical Device Software) (affected version not known). This issue affects some unknown functionality of the component Telnet Service. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.

The bug was discovered 01/23/2019. The weakness was presented 04/23/2019 by Marc Ruef and Rocco Gagliardi with scip AG as ICSMA-19-113-01 as confirmed ics-cert (Website). It is possible to read the advisory at ics-cert.us-cert.gov. The public release was coordinated in cooperation with Fujifilm. The identification of this vulnerability is CVE-2019-10950 since 04/08/2019. The attack may be initiated remotely. A simple authentication is required for exploitation. Technical details are unknown but a private exploit is available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 09/06/2023). The attack technique deployed by this issue is T1068 according to MITRE ATT&CK. The advisory points out:

The device provides insecure telnet services that lack authentication requirements. An attacker who successfully exploits this vulnerability may be able to access the underlying operating system.

A private exploit has been developed by Marc Ruef/Rocco Gagliardi. It is declared as functional. The vulnerability was handled as a non-public zero-day exploit for at least 90 days. During that time the estimated underground price was around $25k-$100k.

It is possible to mitigate the problem by applying the configuration setting . A possible mitigation has been published immediately after the disclosure of the vulnerability. The ics-cert contains the following remark:

Fujifilm has stated the CR-IR 357 system can be configured with what they call Secure Host functionality. This configuration of the software instructs CR-IR 357 to ignore all network traffic other than from the IP address of the Fujifilm image acquisition console. However, this configuration prevents more than one image acquisition console to share the CR-IR 357 Reader Unit. If the user has not implemented Reader Unit sharing, they may contact Fujifilm to request Secure Host functionality be enabled.

See VDB-134002 for similar entry. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Medical Device Software

Vendor

• Fujifilm

Name

• FCR Capsula X
• FCR Carbon X
• FCR XC-2

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion