[Japanese]
|
JVNDB-2021-000006
|
Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2
|
Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities.
Aterm WF800HP:
*Cross-site Scripting (CWE-79) - CVE-2021-20620
Aterm WG2600HP and Aterm WG2600HP2:
*Improper Access Control (CWE-284) - CVE-2017-12575
*Cross-Site Request Forgery (CWE-352) - CVE-2021-20621
*Cross-site Scripting (CWE-79) - CVE-2021-20622
CVE-2021-20620
Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20621, CVE-2021-20622
Noriaki Iwasaki of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 7.5 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
CVSS V2 Severity: Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20620
|
CVSS V3 Severity:
Base Metrics:
7.5 (High) [JPCERT/CC Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.3 (Medium)
[JPCERT/CC Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2017-12575
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [JPCERT/CC Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[JPCERT/CC Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20621
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [JPCERT/CC Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[JPCERT/CC Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20622
|
|
NEC Corporation
- Aterm WG2600HP firmware Ver1.0.13 and earlier
- Aterm WG2600HP2 firmware Ver1.0.3 and earlier
- Aterm WF800HP firmware all versions
|
|
*An arbitrary script may be executed on the user's web browser - CVE-2021-20620
*A remote attacker may obtain and/or alter the settings stored in the device - CVE-2017-12575
*If a user accesses a specially crafted page while logged in, unintended operations may be performed - CVE-2021-20621
*An arbitrary script may be executed on the logged in user's web browser - CVE-2021-20622
|
[Apply workaround]
For the users of Aterm WF800HP:
Applying the following workaround may mitigate the impacts of the vulnerability.
*When accessing a website, use a URL obtained from a trusted source and register it to the bookmark. For subsequent accesses, use the URL registered in the bookmark.
[Update the firmware]
For the users of Aterm WG2600HP and Aterm WG2600HP2:
Update the firmware to the latest version according to the information provided by the developer.
|
NEC Corporation
|
- Permissions(CWE-264) [IPA Evaluation]
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2017-12575
- CVE-2021-20620
- CVE-2021-20621
- CVE-2021-20622
|
- JVN : JVN#38248512
- National Vulnerability Database (NVD) : CVE-2021-20620
- National Vulnerability Database (NVD) : CVE-2021-20621
- National Vulnerability Database (NVD) : CVE-2021-20622
- National Vulnerability Database (NVD) : CVE-2017-12575
|
- [2021/01/22]
Web page was published
- [2021/02/03]
Affected Products : Content was modified
|