[Japanese]

JVNDB-2015-000011

Multiple ASUS wireless LAN routers vulnerable to OS command injection

Overview

Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain an OS command injection vulnerability.

Masashi Sakai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 5.2 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


ASUS JAPAN Inc.
  • RT-AC56S Firmware versions prior to 3.0.0.4.378.6065
  • RT-AC68U Firmware versions prior to 3.0.0.4.378.6152
  • RT-AC87U Firmware versions prior to 3.0.0.4.378.6065
  • RT-N56U Firmware versions prior to 3.0.0.4.378.6065
  • RT-N66U Firmware versions prior to 3.0.0.4.378.6065

[Added on June 17, 2015] Note that the firmware versions released on January 12, 2015 did not address the vulnerability completely. Newer firmware versions have been released.
Impact

An arbitrary OS command may be executed by an authenticated attacker.

In addition, when this vulnerability is exploited along with the vulnerability stated in JVN#32631078, an arbitrary OS command may be executed if a logged in user views a malicious page.
Solution

[Update the Firmware]
Apply the appropriate firmware update provided by the developer.
Vendor Information

ASUS JAPAN Inc.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-7269
References

  1. JVN : JVN#77792759
  2. National Vulnerability Database (NVD) : CVE-2014-7269
Revision History

[2015/01/27]
  Web page was published
[2015/01/29]
  Impact was modified
[2015/02/16]
  References : Content was added
[2015/06/17]
  Affected Products : Product's version were modified