[Japanese]

JVNDB-2021-000028

Multiple vulnerabilities in multiple Aterm products

Overview

Multiple Aterm products provided by NEC Corporation contain multiple vulnerabilities listed below.

*Cross-site Scripting (CWE-79) - CVE-2021-20680
*OS command injection via UPnP (CWE-78) - CVE-2014-8361

CVE-2021-20680
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2014-8361
Satoru Nagaoka of Cyber Defense Institute, Inc, Katsuhiko Sato (a.k.a. goroh_kun) and Ryo Kashiro of 00One, Inc. and Rintaro Fujita of Nippon Telegraph and Telephone Corporation reported to IPA that CVE-2014-8361 vulnerability still exists in NEC Corporation products. JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2014-8361


CVSS V3 Severity:
Base Metrics: 6.1 (Medium) [JPCERT/CC Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 4.3 (Medium) [JPCERT/CC Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20680
Affected Products


NEC Corporation
  • Aterm W1200EX firmware Ver.1.3.1 and earlier
  • Aterm W1200EX-MS firmware Ver.1.3.1 and earlier
  • Aterm W300P firmware all versions
  • Aterm W500P firmware all versions
  • Aterm WF300HP2 firmware all versions
  • Aterm WF800HP firmware firmware all versions
  • Aterm WG1200HP firmware all versions
  • Aterm WG1200HP2 firmware Ver.2.5.0 and earlier
  • Aterm WG1200HP3 firmware Ver.1.3.1 and earlier
  • Aterm WG1200HS firmware all versions
  • Aterm WG1200HS2 firmware Ver.2.5.0 and earlier
  • Aterm WG1200HS3 firmware Ver.1.1.2 and earlier- Only affected by CVE-2021-20680 issue
  • Aterm WG1800HP3 firmware Ver.1.5.1 and earlier
  • Aterm WG1800HP4 firmware Ver.1.3.1 and earlier
  • Aterm WG1900HP firmware Ver.2.5.1 and earlier
  • Aterm WG1900HP2 firmware Ver.1.3.1 and earlier
  • Aterm WR8165N firmware all versions

Impact

*An arbitrary script may be executed on the user's web browser - CVE-2021-20680
*When UPnP is enabled, an attacker who can access the product may execute arbitrary OS commands - CVE-2014-8361
Solution

[Update the firmware]
For the users of WG1900HP2, WG1900HP, WG1800HP4, WG1200HS3, WG1200HS2, WG1200HP3, WG1200HP2, W1200EX, and W1200EX-MS:
Update the firmware to the latest version according to the information provided by the developer.
According to the developer, the fixed firmware for WG1800HP3 will be released later. Until then, apply the following workarounds.

[Apply workarounds]
For the users of WG1200HS, WG1200HP, WF800HP, WF300HP2, WR8165N, W500P, and W300P:
According to the developer, the update firmware for these pruducts is not planned to be released.
Applying the following workarounds may mitigate the impacts of the vulnerabilities.

*Change the passwords of the web-based management utility and the Wi-Fi encryption key to stronger ones
*CVE-2021-20680
When accessing a website, use a URL obtained from a trusted source and bookmark it. For subsequent accesses, use the bookmarked URL.
Close the web browser after the operation is finished on the web-based management utility.
Delete the credential of the web-based management utility stored in the web browser.
*CVE-2014-8361
Disable UPnP.
Vendor Information

NEC Corporation
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-8361
  2. CVE-2021-20680
References

  1. JVN : JVN#67456944
  2. National Vulnerability Database (NVD) : CVE-2014-8361
  3. National Vulnerability Database (NVD) : CVE-2021-20680
Revision History

  • [2021/04/09]
      Web page was published