[Japanese]

JVNDB-2015-000085

Multiple Buffalo wireless LAN routers vulnerable to OS command injection

Overview

Multiple wireless LAN routers provided by BUFFALO INC. contain an OS command injection vulnerability.

Masashi Sakai, Satoshi Ogawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 5.2 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


BUFFALO INC.
  • BHR-4GRV2 Ver.1.04 and earlier
  • WEX-300 Ver.1.60 and earlier
  • WHR-1166DHP Ver.1.60 and earlier
  • WHR-300HP2 Ver.1.60 and earlier
  • WHR-600D Ver.1.60 and earlier
  • WMR-300 Ver.1.60 and earlier
  • WSR-600DHP Ver.1.60 and earlier

Impact

An authenticated attacker may be able to execute arbitrary OS commands.
Solution

[Update the Firmware]
Apply the appropriate firmware update provided by the developer.
Vendor Information

BUFFALO INC.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-9284
References

  1. JVN : JVN#50447904
  2. National Vulnerability Database (NVD) : CVE-2014-9284
Revision History

[2015/06/05]
  Web page was published
[2015/06/10]
  References : Content was added