7.5
HIGH
CVE-2024-39921
IPCOM EX2 and VE2 Series Encryption Decryption Timing Vulnerability
Description

Observable timing discrepancy issue exists in IPCOM EX2 Series V01L02NF0001 to V01L06NF0401, V01L20NF0001 to V01L20NF0401, V02L20NF0001 to V02L21NF0301, and IPCOM VE2 Series V01L04NF0001 to V01L06NF0112. If this vulnerability is exploited, some of the encrypted communication may be decrypted by an attacker who can obtain the contents of the communication.

INFO

Published Date :

Sept. 4, 2024, 3:15 a.m.

Last Modified :

Sept. 19, 2024, 2:59 p.m.

Remotely Exploitable :

Yes !

Impact Score :

3.6

Exploitability Score :

3.9
Affected Products

The following products are affected by CVE-2024-39921 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Fujitsu ipcom_ex2_sc_3500_firmware
2 Fujitsu ipcom_ex2_sc_3200_firmware
3 Fujitsu ipcom_ex2_lb_3500_firmware
4 Fujitsu ipcom_ex2_lb_3200_firmware
5 Fujitsu ipcom_ex2_in_3200_firmware
6 Fujitsu ipcom_ex2_in_3500_firmware
7 Fujitsu ipcom_ex2_dc_3500_firmware
8 Fujitsu ipcom_ex2_dc_3200_firmware
9 Fujitsu ipcom_ve2_ls_100_firmware
10 Fujitsu ipcom_ve2_ls_200_firmware
11 Fujitsu ipcom_ve2_ls_220_firmware
12 Fujitsu ipcom_ve2_ls_plus_100_firmware
13 Fujitsu ipcom_ve2_ls_plus_200_firmware
14 Fujitsu ipcom_ve2_ls_plus_220_firmware
15 Fujitsu ipcom_ve2_ls_plus2_200_firmware
16 Fujitsu ipcom_ve2_ls_plus2_220_firmware
17 Fujitsu ipcom_ve2_sc_plus_100_firmware
18 Fujitsu ipcom_ve2_sc_plus_200_firmware
19 Fujitsu ipcom_ve2_sc_plus_220_firmware
20 Fujitsu ipcom_ve2_ls_100
21 Fujitsu ipcom_ve2_ls_200
22 Fujitsu ipcom_ve2_ls_220
23 Fujitsu ipcom_ve2_ls_plus_100
24 Fujitsu ipcom_ve2_ls_plus_200
25 Fujitsu ipcom_ve2_ls_plus_220
26 Fujitsu ipcom_ve2_ls_plus2_200
27 Fujitsu ipcom_ve2_ls_plus2_220
28 Fujitsu ipcom_ve2_sc_plus_100
29 Fujitsu ipcom_ve2_sc_plus_200
30 Fujitsu ipcom_ve2_sc_plus_220
31 Fujitsu ipcom_ex2_in_3200
32 Fujitsu ipcom_ex2_in_3500
33 Fujitsu ipcom_ex2_lb_3200
34 Fujitsu ipcom_ex2_lb_3500
35 Fujitsu ipcom_ex2_sc_3200
36 Fujitsu ipcom_ex2_sc_3500
37 Fujitsu ipcom_ex2_dc_3200
38 Fujitsu ipcom_ex2_dc_3500
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-39921.

URL Resource
https://jvn.jp/en/jp/JVN29238389/ Mitigation Third Party Advisory
https://www.fujitsu.com/jp/products/network/support/2024/ipcom-04/ Mitigation Vendor Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-39921 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-39921 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Sep. 19, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    Changed Reference Type https://jvn.jp/en/jp/JVN29238389/ No Types Assigned https://jvn.jp/en/jp/JVN29238389/ Mitigation, Third Party Advisory
    Changed Reference Type https://www.fujitsu.com/jp/products/network/support/2024/ipcom-04/ No Types Assigned https://www.fujitsu.com/jp/products/network/support/2024/ipcom-04/ Mitigation, Vendor Advisory
    Added CWE NIST CWE-203
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_ls_100_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_ls_100:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_ls_200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_ls_200:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_ls_220_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_ls_220:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_ls_plus_100_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_ls_plus_100:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_ls_plus_200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_ls_plus_200:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_ls_plus_220_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_ls_plus_220:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_ls_plus2_200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_ls_plus2_200:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_ls_plus2_220_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_ls_plus2_220:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_sc_plus_100_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_sc_plus_100:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_sc_plus_200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_sc_plus_200:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ve2_sc_plus_220_firmware:*:*:*:*:*:*:*:* versions from (including) v01l04nf0001 up to (including) v01l06nf0112 OR cpe:2.3:h:fujitsu:ipcom_ve2_sc_plus_220:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ex2_in_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l02nf0001 up to (including) v01l06nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_in_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l20nf0001 up to (including) v01l20nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_in_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v02l20nf0001 up to (including) v02l21nf0301 OR cpe:2.3:h:fujitsu:ipcom_ex2_in_3200:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ex2_in_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v01l02nf0001 up to (including) v01l06nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_in_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v01l20nf0001 up to (including) v01l20nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_in_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v02l20nf0001 up to (including) v02l21nf0301 OR cpe:2.3:h:fujitsu:ipcom_ex2_in_3500:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ex2_lb_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l02nf0001 up to (including) v01l06nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_lb_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l20nf0001 up to (including) v01l20nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_lb_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v02l20nf0001 up to (including) v02l21nf0301 OR cpe:2.3:h:fujitsu:ipcom_ex2_lb_3200:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ex2_lb_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v01l02nf0001 up to (including) v01l06nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_lb_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v01l20nf0001 up to (including) v01l20nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_lb_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v02l20nf0001 up to (including) v02l21nf0301 OR cpe:2.3:h:fujitsu:ipcom_ex2_lb_3500:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ex2_sc_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l02nf0001 up to (including) v01l06nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_sc_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l20nf0001 up to (including) v01l20nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_sc_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v02l20nf0001 up to (including) v02l21nf0301 OR cpe:2.3:h:fujitsu:ipcom_ex2_sc_3200:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ex2_sc_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v01l02nf0001 up to (including) v01l06nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_sc_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v01l20nf0001 up to (including) v01l20nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_sc_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v02l20nf0001 up to (including) v02l21nf0301 OR cpe:2.3:h:fujitsu:ipcom_ex2_sc_3500:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ex2_dc_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l02nf0001 up to (including) v01l06nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_dc_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v01l20nf0001 up to (including) v01l20nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_dc_3200_firmware:*:*:*:*:*:*:*:* versions from (including) v02l20nf0001 up to (including) v02l21nf0301 OR cpe:2.3:h:fujitsu:ipcom_ex2_dc_3200:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:fujitsu:ipcom_ex2_dc_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v01l02nf0001 up to (including) v01l06nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_dc_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v01l20nf0001 up to (including) v01l20nf0401 *cpe:2.3:o:fujitsu:ipcom_ex2_dc_3500_firmware:*:*:*:*:*:*:*:* versions from (including) v02l20nf0001 up to (including) v02l21nf0301 OR cpe:2.3:h:fujitsu:ipcom_ex2_dc_3500:-:*:*:*:*:*:*:*
  • CVE Received by [email protected]

    Sep. 04, 2024

    Action Type Old Value New Value
    Added Description Observable timing discrepancy issue exists in IPCOM EX2 Series V01L02NF0001 to V01L06NF0401, V01L20NF0001 to V01L20NF0401, V02L20NF0001 to V02L21NF0301, and IPCOM VE2 Series V01L04NF0001 to V01L06NF0112. If this vulnerability is exploited, some of the encrypted communication may be decrypted by an attacker who can obtain the contents of the communication.
    Added Reference JPCERT/CC https://www.fujitsu.com/jp/products/network/support/2024/ipcom-04/ [No types assigned]
    Added Reference JPCERT/CC https://jvn.jp/en/jp/JVN29238389/ [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-39921 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-39921 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability