Key Information 1. Vulnerability ID: - JVN#29238389 2. Vulnerability Name: - IPCOM vulnerable to information disclosure 3. Affected Products: - IPCOM EX2 Series V01L02NF0001 to V01L06NF0401 - IPCOM VE2 Series V01L04NF0001 to V01L06NF0112 4. Description: - The SSL Accelerator/SSL-VPN Function of IPCOM, provided by Fasas Technologies Inc., contains an information disclosure vulnerability due to observable timing discrepancy (CWE-208). 5. Impact: - Some of the encrypted communication may be decrypted by an attacker who can obtain the contents of the communication. 6. Solution: - Update Firmware: - Update the firmware to the latest version according to the information provided by the developer. - Workaround: - Disable the RSA key exchange cipher suite in the IPCOM cipher suite settings. 7. Vendor Status: - Fasas Technologies Inc.: Vulnerable - Last Update: 2024/08/30 - Vendor Notes: Fasas Technologies Inc. website 8. References: - JPCERT/CC Addendum - Vulnerability Analysis by JPCERT/CC - CVSS v3: 3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N - Base Score: 5.9 9. Credits: - Fasas Technologies Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fasas Technologies Inc. coordinated under the Information Security Early Warning Partnership. 10. Additional Information: - JPCERT Alert - JPCERT Reports - CERT Advisory - CPNI Advisory - TRnotes - CVE: CVE-2024-39921 - JVN iPedia: JVNDB-2024-000091