[Japanese]

JVNDB-2024-001061

ELECOM wireless LAN routers vulnerable to OS command injection

Overview

Multiple ELECOM wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability.

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.2 (Medium) [Other]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


ELECOM CO.,LTD.
  • WRC-X1800GS-B v1.17 and earlier
  • WRC-X1800GSA-B v1.17 and earlier
  • WRC-X1800GSH-B v1.17 and earlier
  • WRC-X6000XS-G v1.09
  • WRC-X6000XST-G v1.12 and earlier

Impact

If a logged-in user with an administrative privilege sends a specially crafted request to the product, an arbitrary OS command may be executed.
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

ELECOM CO.,LTD.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)

  1. CVE-2024-22372
References

  1. JVN : JVNVU#90908488
  2. National Vulnerability Database (NVD) : CVE-2024-22372
Revision History

  • [2024/01/24]
      Web page was published
  • [2024/03/06]
      References : Content was added

Date Public2024/01/23
Date First Published2024/01/24
Date Last Updated2024/03/13