[Japanese]

JVNDB-2024-001062

Yamaha wireless LAN access point devices vulnerable to active debug code

Overview

Active debug code (CWE-489) exists in wireless LAN access point devices provided by Yamaha Corporation.
The debug function can be enabled by performing specific operations.

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.2 (Medium) [Other]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Yamaha Corporation
  • WLX202 firmware Rev.16.00.18 and earlier
  • WLX212 firmware Rev.21.00.12 and earlier
  • WLX222 firmware Rev.24.00.03 and earlier
  • WLX313 firmware Rev.18.00.12 and earlier
  • WLX413 firmware Rev.22.00.05 and earlier

Impact

If a logged-in user who knows how to use the debug function accesses the device's management page, this function can be enabled by performing specific operations and as a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered.
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

Yamaha Corporation
CWE (What is CWE?)

  1. Active Debug Code(CWE-489) [Other]
CVE (What is CVE?)

  1. CVE-2024-22366
References

  1. JVN : JVNVU#99896362
  2. National Vulnerability Database (NVD) : CVE-2024-22366
Revision History

  • [2024/01/24]
      Web page was published
  • [2024/03/13]
      References : Content was added

Date Public2024/01/23
Date First Published2024/01/24
Date Last Updated2024/03/13