Multiple Yamaha routers vulnerable to denial-of-service (DoS)


Multiple routers provided by Yamaha contain a denial-of-service vulnerability.

Multiple routers provided by Yamaha contain a denial-of-service (DoS) vulnerability due to an issue in processing IP packets.

Yuji Ukai of Fourteenforty Research Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 7.8 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Complete

IP packets that contain invalid values in the IP option header are mostly discarded by the router, therefore an attack through the internet being successful is highly unlikely.
Affected Products

A wide range of products are affected. For more information, refer to the developer's website.

Yamaha Corporation
  • RT Series
  • RTA Series
  • RTV Series
  • RTW Series
  • RTX Series
  • SRT Series
NEC Corporation


A remote attacker may cause a denial-of-service (DoS).

[Update the firmware]
Update to the latest version of firmware according to the information provided by the developer.
According to the developer, firmware addressing this vulnerability will be released successively.

[Apply a workaround]
If updated firmware cannot be obtained, the following workaround may mitigate the affects of this vulnerability.

Utilize packet filtering to prevent accepting malicious IP packets

According to the developer, firmware updates for certain models will not be released.
Vendor Information

Yamaha Corporation NEC Corporation
  • NEC Security Information : NV11-004 (Japanese)
CWE (What is CWE?)

  1. Numeric Errors(CWE-189) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-1323

  1. JVN : JVN#55714408
  2. National Vulnerability Database (NVD) : CVE-2011-1323
  3. IPA SECURITY ALERTS : Security Alert for Vulnerability in Yamaha Routers
Revision History

  Web page published
  CVSS Severity section updated