JVNDB-2008-000005

Multiple Yamaha routers vulnerable to cross-site request forgery

The web interface in multiple Yamaha routers is vulnerable to cross-site request forgery.

Multiple Yamaha routers provide a web-based interface for users to configure the settings of the routers.
The web interface is vulnerable to cross-site request forgery.

Yamaha Corporation

• NetVolante Series RT58i
• NetVolante Series RT57i
• NetVolante Series RT56v
• NetVolante Series RTA55i
• NetVolante Series RTA54i
• NetVolante Series RTA52i
• NetVolante Series RTA50i
• NetVolante Series RT60w
• NetVolante Series RTW65i
• NetVolante Series RTW65b
• NetVolante Series RT80i
• RT Series RT107e
• RTV Series RTV700
• RTV Series RTV01
• RTX Series RTX1100
• RTX Series RTX1500
• RTX Series RTX1000
• SRT Series SRT100

NEC Corporation

• IP38X SERIES 58i
• IP38X SERIES 57i
• IP38X SERIES 55i
• IP38X SERIES 1500
• IP38X SERIES 1100
• IP38X SERIES 1000
• IP38X SERIES V700
• IP38X SERIES 107e
• IP38X SERIES SR100

If the administrator views a malicious website while logged onto the web interface, the password and other configuration settings can be modified.

[Update the Software]
Apply the latest firmware provided by the vendors.

[Change settings of the router]
Change settings of the router so that no configuration settings can be modified through a web browser.

For more information, refer to the vendors' websites.

Yamaha Corporation

• RT/FAQ : JVN88575577

NEC Corporation

• NEC Security Information : NV08-001 (Japanese)

1. Cross-Site Request Forgery(CWE-352) [NVD Evaluation]

1. CVE-2008-0524

1. JVN : JVN#88575577
2. National Vulnerability Database (NVD) : CVE-2008-0524
3. IPA SECURITY ALERTS : Security Alert for Vulnerability in Multiple YAMAHA Routers
4. Secunia Advisory : SA28690
5. SecurityFocus : 27491
6. ISS X-Force Database : 40015

• [2008/05/21]
    Web page published