JVNDB-2018-000075

[Japanese]
JVNDB-2018-000075
Multiple OS command injection vulnerabilities in Aterm WG1200HP
Overview
Aterm WG1200HP provided by NEC Corporation contains multiple OS command injection vulnerabilities (CWE-78). Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 6.8 (Medium) [IPA Score] Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: High CVSS V2 Severity: Base Metrics 5.2 (Medium) [IPA Score] Access Vector: Adjacent Network Access Complexity: Low Authentication: Single Instance Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
Affected Products

NEC Corporation Aterm WG1200HP firmware firmware Ver1.0.31 and earlier

Impact
A user who can access the product with administrative privileges may execute an arbitrary OS command.
Solution
[Update the Firmware] Apply the latest firmware update according to the information provided by the developer.
Vendor Information
NEC Corporation NEC Security Information : NV16-005 (in Japanese)
CWE (What is CWE?)
OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)
CVE-2018-0626 CVE-2018-0627 CVE-2018-0628 CVE-2018-0625
References
JVN : JVN#00401783 National Vulnerability Database (NVD) : CVE-2018-0625 National Vulnerability Database (NVD) : CVE-2018-0626 National Vulnerability Database (NVD) : CVE-2018-0627 National Vulnerability Database (NVD) : CVE-2018-0628
Revision History
[2018/07/12] Web page was published [2019/08/27] References : Content was added


Date Public	2018/07/12
Date First Published	2018/07/12
Date Last Updated	2019/08/27

Multiple OS command injection vulnerabilities in Aterm WG1200HP