[Japanese]

JVNDB-2021-000008

Multiple vulnerabilities in multiple ELECOM products

Overview

Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.
*Improper Access Control (CWE-284) - CVE-2021-20643
*Script injection in web setup page (CWE-74) - CVE-2021-20644
*Stored cross-site scripting (CWE-79) - CVE-2021-20645
*Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650
*OS command injection (CWE-78) - CVE-2021-20648
*Improper server certificate verification (CWE-295) - CVE-2021-20649
*OS command injection via UPnP (CWE-78) - CVE-2014-8361

CVE-2021-20643
NAGAKAWA(ISHIBASHI), Tsuyoshi of INSTITUTE of INFORMATION SECURITY Yuasa Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-20644
Ryo Sato reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-20645, CVE-2021-20646
Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-20647, CVE-2021-20648, CVE-2021-20649
Satoru Nagaoka of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-20650
Yutaka WATANABE reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Satoru Nagaoka of Cyber Defense Institute, Inc. and Daisuke Makita and Yoshiki Mori of National Institude of Information and Communications Technology reported that CVE-2014-8361 vulnerability still exists in ELECOM product to IPA. JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2014-8361


CVSS V3 Severity:
Base Metrics: 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20643


CVSS V3 Severity:
Base Metrics: 5.2 (Medium) [IPA Score]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 3.3 (Low) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20644


CVSS V3 Severity:
Base Metrics: 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 3.5 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20645


CVSS V3 Severity:
Base Metrics: 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20646, CVE-2021-20647, CVE-2021-20650


CVSS V3 Severity:
Base Metrics: 6.8 (Medium) [IPA Score]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics: 5.2 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20648


CVSS V3 Severity:
Base Metrics: 4.8 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20649
Affected Products


ELECOM CO.,LTD.
  • LD-PS/U1 (CVE-2021-20643)
  • NCC-EWF100RMWH2 (CVE-2021-20650)
  • WRC-1467GHBK-A (CVE-2021-20644)
  • WRC-300FEBK firmware (CVE-2014-8361)
  • WRC-300FEBK-A (CVE-2021-20645, CVE-2021-20646)
  • WRC-300FEBK-S (CVE-2021-20647, CVE-2021-20648, CVE-2021-20649, CVE-2014-8361)
  • WRC-F300NF firmware (CVE-2014-8361)

Impact

*By processing a specially crafted request, administrative password of the product may be changed - CVE-2021-20643
*By displaying a specially crafted SSID on the web setup page, arbitrary script may be executed on the user's web browser - CVE-2021-20644
*An arbitrary script may be executed on a logged in user's web browser - CVE-2021-20645
*If a user views a malicious page while logged in to the web setup page of the product, arbitrary request may be executed and as a result, the product's settings may be altered and/or telnet daemon may be started - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650
*An attacker who can access the product may execute arbitrary OS commands - CVE-2021-20648
*A man-in-the-middle attack may allow an attacker to alter the communication response and as a result, arbitrary OS commands may be executed on the product - CVE-2021-20649
*When UPnP is enabled, an attacker who can access the product may execute arbitrary OS commands - CVE-2014-8361
Solution

[Stop using the products]
The developer states these vulnerable products are no longer supported, therefore stop using the products.

Also according to the developer, the following workarounds may mitigate some of the effects of these issues.
[Apply a Workaround]
CVE-2021-20645, CVE-2021-20646, CVE-2021-20647, CVE-2021-20648, CVE-2021-20650

    *Change web setup page's log in password.
    *Do not access other websites while logged in to the web setup page.
    *Close the web browser after the operation is finished on the web setup page.
    *Delete password of web setup page stored in web browser.


CVE-2021-20649

    *Do not execute the firmware's "Check for update files" function.
    *For detailed setting change process, refer to User's Manual (in Japanese) for the products.


CVE-2014-8361

    *Disable UPnP.
Vendor Information

ELECOM CO.,LTD.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
  2. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
  3. OS Command Injection(CWE-78) [IPA Evaluation]
  4. Cross-site Scripting(CWE-79) [IPA Evaluation]
  5. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20643
  2. CVE-2021-20644
  3. CVE-2021-20645
  4. CVE-2021-20646
  5. CVE-2021-20647
  6. CVE-2021-20648
  7. CVE-2021-20649
  8. CVE-2021-20650
  9. CVE-2014-8361
References

  1. JVN : JVN#47580234
  2. National Vulnerability Database (NVD) : CVE-2014-8361
  3. National Vulnerability Database (NVD) : CVE-2021-20643
  4. National Vulnerability Database (NVD) : CVE-2021-20644
  5. National Vulnerability Database (NVD) : CVE-2021-20645
  6. National Vulnerability Database (NVD) : CVE-2021-20646
  7. National Vulnerability Database (NVD) : CVE-2021-20647
  8. National Vulnerability Database (NVD) : CVE-2021-20648
  9. National Vulnerability Database (NVD) : CVE-2021-20649
  10. National Vulnerability Database (NVD) : CVE-2021-20650
Revision History

  • [2021/01/26]
      Web page was published