|
[Japanese]
|
JVNDB-2017-000044
|
CentreCOM AR260S V2 vulnerable to privilege escalation
|
|
CentreCOM AR260S V2 provided by Allied Telesis K.K. is a wired LAN router. CentreCOM AR260S V2 contains a privilege escalation vulnerability.
Ziv Chang of Trend Micro Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 8.0 (High) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.2 (Medium) [IPA Score]
- Access Vector: Adjacent Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
|
|
|
Allied Telesis
|
|
|
Unintended operations may be performed with administrative privileges by a user who can log into the produt with "guest" account.
|
|
[Apply Workarounds]
The following workarounds may mitigate the impacts of this vulnerability.
* Change the password of the account "guest"
The default password of the account "guest" is publicly known. Change the password of the account "guest" immediately to prevent an unauthenticated attacker from logging into the product.
* Do not allow untrusted person to use the account "guest"
Once logged into the vulnerable product as "guest", this vulnerability can be exploited. Therefore do not allow untrusted person to use the "guest" account.
* Enable the Firewall protection
The product has a firewall protection, and it is enabled by default. Enable firewall to protect the product from unintended accesses from WAN side.
|
|
Allied Telesis
|
|
- Permissions(CWE-264) [IPA Evaluation]
|
|
- CVE-2017-2125
|
|
- JVN : JVN#55121369
- National Vulnerability Database (NVD) : CVE-2017-2125
|
|
- [2017/03/30]
Web page was published
[2017/06/05]
References : Content was added
|
