[Japanese]

JVNDB-2016-000168

Toshiba FlashAir does not require authentication in "Internet pass-thru Mode"

Overview

FlashAir by Toshiba Corporation is a SDHC memory card which provides "Internet pass-thru Mode", allowing devices to access the internet while connecting to FlashAir. When configured in "Internet pass-thru Mode", FlashAir acts both as a station and as an access point.
When "Internet pass-thru Mode" is enabled, FlashAir does not require authentication on accepting a connection from STA (station) side LAN.

Tsukada Nobuhisa of Seasoft reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


TOSHIBA
  • FlashAir Class 6 model with firmware version 1.00.04 and later (Countries & Regions except Japan and USA)
  • FlashAir Class 6 model with firmware version 1.00.04 and later (USA)
  • FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later (USA)
  • FlashAir III Class 10 model W-03 series (USA)
  • FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later (Japan)
  • FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later (Japan)
  • FlashAir SD-WE series Class 10 model W-03 (Japan)
  • FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later (Countries & Regions except Japan and USA)
  • FlashAir W-03 series Class 10 model (Countries & Regions except Japan and USA)

Impact

A remote unauthenticated attacker with access to STA side LAN can obtain files or data saved in the vulnerable product.
In addition, when FlashAir III / FlashAir W-03 series is configured to access/upload files or data by WebDAV without authentication, the files and data saved in the vulnerable product can be altered or an arbitrary Lua script can be executed.
Solution

[Change default settings in the configuration]
Before enabling "Internet pass thru Mode", change the default settings to require authentication to the FlashAir web server.
In FlashAir API, followings are provided. Refer to the respective instructions for more information.

* Authentication method (HTTPDMODE)
* Authentication password (HTTPDPASS)
Vendor Information

TOSHIBA
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-4863
References

  1. JVN : JVN#39619137
  2. National Vulnerability Database (NVD) : CVE-2016-4863
Revision History

  • [2016/10/12]
      Web page was published
    [2017/11/27]
      References : Content was added

Date Public2016/09/27
Date First Published2016/10/12
Date Last Updated2017/11/27