[Japanese]
|
JVNDB-2021-000038
|
Multiple vulnerabilities in Cisco Small Business Series Wireless Access Points
|
Cisco Small Business Series Wireless Access Points provided by Cisco Systems, Inc. contain multiple vulnerabilities listed below.
*Improper access control (CWE-284) - CVE-2021-1400
*Command injection (CWE-78) - CVE-2021-1401
Shuto Imai of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 8.8 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity: Base Metrics 9.0 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2021-1400
|
CVSS V3 Severity:
Base Metrics:
5.5 (Medium) [JPCERT/CC Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
7.0 (Medium)
[JPCERT/CC Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: Complete
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-1401
|
|
Cisco Systems, Inc.
- WAP125 Wireless-AC Dual Band Desktop Access Point with PoE 1.0.3.1 and earlier
- WAP131 Wireless-N Dual Radio Access Point with PoE 1.0.2.17 and earlier
- WAP150 Wireless-AC/N Dual Radio Access Point with PoE 1.1.2.4 and earlier
- WAP351 Wireless-N Dual Radio Access Point with 5-Port Switch 1.0.2.17 and earlier
- WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE 1.1.2.4 and earlier
- WAP581 Wireless-AC Dual Radio Wave 2 Access Point with 2.5GbE LAN 1.0.3.1 and earlier
|
The developer states that WAP131 Wireless-N Dual Radio Access Point with PoE and WAP351 Wireless-N Dual Radio Access Point with 5-Port Switch are no longer supported (End-of-Life, EOL). For details, refer to the information provided by the developer.
|
The impacts may vary depending on the vulnerabilities, however, the followings are the possible impacts if an attacker who can access the affected device sends a specially crafted HTTP request to the administrative web interface of the device;
*Impersonate a user including an administrator - CVE-2021-1400
*An arbitrary command may be executed with the administrative privilege of the device - CVE-2021-1401
|
[Update the firmware]
Apply the appropriate firmware update according to the information provided by the developer.
|
Cisco Systems, Inc.
|
- Permissions(CWE-264) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
|
- CVE-2021-1400
- CVE-2021-1401
|
- JVN : JVN#71263107
- National Vulnerability Database (NVD) : CVE-2021-1400
- National Vulnerability Database (NVD) : CVE-2021-1401
|
- [2021/05/14]
Web page was published
|