|
[Japanese]
|
JVNDB-2015-000011
|
Multiple ASUS wireless LAN routers vulnerable to OS command injection
|
|
Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain an OS command injection vulnerability.
Masashi Sakai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V2 Severity:
Base Metrics 5.2 (Medium) [IPA Score]
- Access Vector: Adjacent Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
|
|
|
ASUS JAPAN Inc.
- RT-AC56S Firmware versions prior to 3.0.0.4.378.6065
- RT-AC68U Firmware versions prior to 3.0.0.4.378.6152
- RT-AC87U Firmware versions prior to 3.0.0.4.378.6065
- RT-N56U Firmware versions prior to 3.0.0.4.378.6065
- RT-N66U Firmware versions prior to 3.0.0.4.378.6065
|
[Added on June 17, 2015]
Note that the firmware versions released on January 12, 2015 did not address the vulnerability completely. Newer firmware versions have been released.
|
|
An arbitrary OS command may be executed by an authenticated attacker.
In addition, when this vulnerability is exploited along with the vulnerability stated in JVN#32631078, an arbitrary OS command may be executed if a logged in user views a malicious page.
|
|
[Update the Firmware]
Apply the appropriate firmware update provided by the developer.
|
|
ASUS JAPAN Inc.
|
|
- OS Command Injection(CWE-78) [IPA Evaluation]
|
|
- CVE-2014-7269
|
|
- JVN : JVN#77792759
- National Vulnerability Database (NVD) : CVE-2014-7269
|
|
- [2015/01/27]
Web page was published
[2015/01/29]
Impact was modified
[2015/02/16]
References : Content was added
[2015/06/17]
Affected Products : Product's version were modified
|
