[Japanese]

JVNDB-2021-001380

Multiple Buffalo network devices contain hidden functionality

Overview

Multiple network devices provided by BUFFALO INC. contain hidden functionality (CWE-912) that allows an attacker to enable the debug option.

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 10.0 (High) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products


BUFFALO INC.
  • BHR-4RV firmware Ver.2.55 and prior
  • FS-G54 firmware Ver.2.04 and prior
  • WBR-B11 firmware Ver.2.23 and prior
  • WBR-G54 firmware Ver.2.23 and prior
  • WBR-G54L firmware Ver.2.20 and prior
  • WBR2-B11 firmware Ver.2.32 and prior
  • WBR2-G54 firmware Ver.2.32 and prior
  • WBR2-G54-KD firmware Ver.2.32 and prior
  • WHR-G54 firmware Ver.2.16 and prior
  • WHR-G54-NF firmware Ver.2.10 and prior
  • WHR2-A54G54 firmware Ver.2.25 and prior
  • WHR2-G54 firmware Ver.2.23 and prior
  • WHR2-G54V firmware Ver.2.55 and prior
  • WHR3-AG54 firmware Ver.2.23 and prior
  • WLA-B11 firmware Ver.2.20 and prior
  • WLA-G54 firmware Ver.2.20 and prior
  • WLA-G54C firmware Ver.2.20 and prior
  • WLA2-G54 firmware Ver.2.24 and prior
  • WLA2-G54C firmware Ver.2.24 and prior
  • WLAH-A54G54 firmware Ver.2.54 and prior
  • WLAH-AM54G54 firmware Ver.2.54 and prior
  • WLAH-G54 firmware Ver.2.54 and prior
  • WLI-T1-B11 firmware Ver.2.20 and prior
  • WLI-TX1-G54 firmware Ver.2.20 and prior
  • WLI2-TX1-AG54 firmware Ver.2.53 and prior
  • WLI2-TX1-AMG54 firmware Ver.2.53 and prior
  • WLI2-TX1-G54 firmware Ver.2.20 and prior
  • WLI3-TX1-AMG54 firmware Ver.2.53 and prior
  • WLI3-TX1-G54 firmware Ver.2.53 and prior
  • WVR-G54-NF firmware Ver.2.02 and prior
  • WZR-G108 firmware Ver.2.41 and prior
  • WZR-G54 firmware Ver.2.41 and prior
  • WZR-HP-G54 firmware Ver.2.41 and prior
  • WZR-RS-G54 firmware Ver.2.55 and prior
  • WZR-RS-G54HP firmware Ver.2.55 and prior

Impact

A network-adjacent attacker may execute arbitrary code or OS commands, change the configuration, and cause a denial of service (DoS) condition.
Solution

[Do not use the products]
According to the developer, the devices are no longer supported and it is recommended for the users to use alternative devices.
For more details, refer to the information provided by the developer.
Vendor Information

BUFFALO INC.
CWE (What is CWE?)

  1. Hidden Functionality(CWE-912) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20716
References

  1. JVN : JVNVU#90274525
  2. National Vulnerability Database (NVD) : CVE-2021-20716
Revision History

  • [2021/04/28]
      Web page was published
  • [2021/05/07]
      Impact : Content was modified

Date Public2021/04/27
Date First Published2021/04/28
Date Last Updated2021/05/07