|
[Japanese]
|
JVNDB-2018-000007
|
Multiple I-O DATA network devices incorporating "MagicalFinder" vulnerable to OS command injection
|
|
"MagicalFinder" provided by I-O DATA DEVICE, INC. is a IP address setting tool to for I-O DATA network devices such as routers, network cameras, strages, etc. Multiple I-O DATA network devices that incorporate "MagicalFinder" contain an OS command injection vulnerability (CWE-78).
Taizo Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.2 (Medium) [IPA Score]
- Access Vector: Adjacent Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
|
|
|
I-O DATA DEVICE, INC.
- BX-VP1 firmware version 2.01 and earlier
- GV-NTX1 firmware version 1.02.00 and earlier
- GV-NTX2 firmware version 1.02.00 and earlier
- HDL-A Series firmware version 1.26 and earlier
- HDL-AH Series firmware version 1.26 and earlier
- HDL-GT Series firmware version 1.37 and earlier
- HDL-GTR Series firmware version 1.37 and earlier
- HDL-T Series firmware version 1.12 and earlier
- HDL-XR Series firmware version 2.01 and earlier
- HDL-XR2U Series firmware version 2.01 and earlier
- HDL-XR2UW Series firmware version 2.01 and earlier
- HDL-XRW Series firmware version 2.01 and earlier
- HDL-XV Series firmware version 1.50 and earlier
- HDL-XVW Series firmware version 1.50 and earlier
- HDL2-A Series firmware version 1.26 and earlier
- HDL2-AH Series firmware version 1.26 and earlier
- HFAS1 Series firmware version 1.40 and earlier
- HLS-C Series firmware version 1.12 and earlier
- HVL-ATA series firmware version 2.04 and earlier
- HVL-AT series firmware version 2.04 and earlier
- HVL-A series firmware version 2.04 and earlier
- HVL-S Series firmware version 1.00 and earlier
- WHG-AC1750/A firmware version 3.00 and earlier
- WHG-AC1750/AL firmware version 1.07 and earlier
- WHG-NAPG/A firmware version 1.08 and earlier
- WHG-NAPG/AL firmware version 1.05 and earlier
- WN-AC1167DGR firmware version 1.02 and earlier
- WN-AC1300EX firmware version 1.02 and earlier
- WN-AC1600DGR firmware version 2.06 and earlier
- WN-AC583RK firmware version 1.06 and earlier
- WN-AC583TRK firmware version 1.05 and earlier
- WN-AG300DGR firmware version 1.05 and earlier
- WN-AG750DGR firmware version 1.08 and earlier
- WN-AX1167GR firmware version 3.11 and earlier
- WN-G300EX firmware version 1.01 and earlier
- WN-G300R firmware version 1.14 and earlier
- WN-G300R3 firmware version 1.04 and earlier
- WN-G300SR firmware version 1.00 and earlier
- WN-GX300GR firmware version 2.00 and earlier
- WNPR1167F firmware version 1.00 and earlier
- WNPR1167G firmware version 1.00 and earlier
- WNPR1750G firmware version 1.01 and earlier
- WNPR2600G firmware version 1.01 and earlier
|
|
|
An attacker who can log in the affected device may execute an arbitrary OS command.
|
|
[Apply the appropriate firmware update]
Apply the appropriate firmware update according to the information provided by the developer.
|
|
I-O DATA DEVICE, INC.
|
|
- OS Command Injection(CWE-78) [IPA Evaluation]
|
|
- CVE-2018-0512
|
|
- JVN : JVN#36048131
- National Vulnerability Database (NVD) : CVE-2018-0512
|
|
- [2018/02/06]
Web page was published
- [2018/04/11]
References : Content was added
|
