[Japanese]
|
JVNDB-2021-000010
|
Multiple vulnerabilities in multiple LOGITEC products
|
Multiple products provided by LOGITEC CORPORATION contain multiple vulnerabilities.
*Improper restriction of excessive authentication attempts (CWE-307) - CVE-2021-20635
*Cross-site request forgery (CWE-352) - CVE-2021-20636, CVE-2021-20641
*Improper check or handling of exceptional conditions (CWE-703) - CVE-2021-20637, CVE-2021-20642
*OS command injection (CWE-78) - CVE-2021-20638
*OS command injection (CWE-78) - CVE-2021-20639
*Buffer overflow (CWE-119) - CVE-2021-20640
CVE-2021-20635
Takaaki Minegishi and Takeshi Okamoto of Kanagawa Institute of Technology reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20636, CVE-2021-20637, CVE-2021-20642
Shuto Imai of LAC Co., Ltd. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20638, CVE-2021-20639, CVE-2021-20640
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 6.8 (Medium) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity: Base Metrics 5.2 (Medium) [IPA Score]
- Access Vector: Adjacent Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20638
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [JPCERT/CC Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.3 (Low)
[JPCERT/CC Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20635
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [JPCERT/CC Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Medium)
[JPCERT/CC Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20636, CVE-2021-20641
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [JPCERT/CC Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: Low
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[JPCERT/CC Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20637, CVE-2021-20642
|
CVSS V3 Severity:
Base Metrics:
6.8 (Medium) [JPCERT/CC Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics:
5.2 (Medium)
[JPCERT/CC Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20639
|
CVSS V3 Severity:
Base Metrics:
6.8 (Medium) [JPCERT/CC Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics:
5.2 (Medium)
[JPCERT/CC Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20640
|
|
Logitec Corp.
- LAN-W300N/PGRB (CVE-2021-20638, CVE-2021-20639, CVE-2021-20640)
- LAN-W300N/PR5B (CVE-2021-20636, CVE-2021-20637)
- LAN-W300N/RS firmware (CVE-2021-20641, CVE-2021-20642)
- LAN-WH450N/GR (CVE-2021-20635)
|
|
*An attacker in the wireless range of the device may recover PIN and access the network - CVE-2021-20635
*If a user who is logging into the administrative web page of the device accesses a specially crafted URL, unintended operation to the device such as changes of the device settings may be conducted - CVE-2021-20636, CVE-2021-20641
*If a user who is logging into the administrative web page of the device accesses a specially crafted URL, that may lead to a denial-of-service (DoS) condition - CVE-2021-20637, CVE-2021-20642
*An attacker who can access the administrative web page of the device may execute arbitrary OS command - CVE-2021-20638, CVE-2021-20639, CVE-2021-20640
|
[Stop using the products]
The developer states these vulnerable products are no longer supported, therefore stop using the products.
|
Logitec Corp.
|
- Buffer Errors(CWE-119) [IPA Evaluation]
- Improper Authentication(CWE-287) [IPA Evaluation]
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2021-20635
- CVE-2021-20636
- CVE-2021-20637
- CVE-2021-20638
- CVE-2021-20639
- CVE-2021-20640
- CVE-2021-20641
- CVE-2021-20642
|
- JVN : JVN#96783542
- National Vulnerability Database (NVD) : CVE-2021-20635
- National Vulnerability Database (NVD) : CVE-2021-20636
- National Vulnerability Database (NVD) : CVE-2021-20637
- National Vulnerability Database (NVD) : CVE-2021-20638
- National Vulnerability Database (NVD) : CVE-2021-20639
- National Vulnerability Database (NVD) : CVE-2021-20640
- National Vulnerability Database (NVD) : CVE-2021-20641
- National Vulnerability Database (NVD) : CVE-2021-20642
|
- [2021/01/26]
Web page was published
|