|
[Japanese]
|
JVNDB-2018-000024
|
Multiple vulnerabilities in CG-WGR1200
|
|
CG-WGR1200 provided by Corega Inc is a wireless LAN router. CG-WGR1200 contains multiple vulnerabilities listed below.
* Buffer Overflow (CWE-119) - CVE-2017-10852
* Buffer Overflow (CWE-78) - CVE-2017-10853
* Authentication bypass (CWE-306) - CVE-2017-10854
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
- Access Vector: Adjacent Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2017-10852
|
CVSS V3 Severity:
Base Metrics:
8.8 (High) [IPA Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics:
5.8 (Medium)
[IPA Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2017-10853
|
CVSS V3 Severity:
Base Metrics:
8.8 (High) [IPA Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics:
5.8 (Medium)
[IPA Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2017-10854
|
|
|
Corega Inc
- CG-WGR1200 firmware 2.20 and earlier
|
|
|
* A user with access to the affected device may execute arbitrary code - CVE-2017-10852
* A user with access to the affected device may execute an arbitrary command - CVE-2017-10853
* A user with access to the affected device may change the login password. As a result, the user may access the management screen of the device and perform an arbitrary operation such as altering the device's settings - CVE-2017-10854
|
|
[Do not use CG-WGR1200]
Stop using CG-WGR1200. According to the developer, there is no plan to provide fix for these vulnerabilities since CG-WGR1200 is no longer supported.
[Apply a Workaround]
CG-WGR1200 is no longer supported and there is no plan of the fixes for these vulnerabilities being provided. However if you continue to use the device, apply following workarounds to mitigate the impacts of these vulnerabilities.
* Disable remote connection function to prevent an attacker's remote access to the device
* Prevent unauthorized access from inside the LAN to the device.
|
|
Corega Inc
|
|
- Data Handling(CWE-19) [IPA Evaluation]
- Permissions(CWE-264) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
|
|
- CVE-2017-10852
- CVE-2017-10853
- CVE-2017-10854
|
|
- JVN : JVN#15201064
- National Vulnerability Database (NVD) : CVE-2017-10852
- National Vulnerability Database (NVD) : CVE-2017-10853
- National Vulnerability Database (NVD) : CVE-2017-10854
|
|
- [2018/03/09]
Web page was published
- [2018/06/14]
References : Contents were added
|
