|
[Japanese]
|
JVNDB-2021-001381
|
Multiple vulnerabilities in Buffalo broadband routers
|
|
Multiple broadband routers provided by BUFFALO INC. contain multiple vulnerabilities listed below.
* Disclosure of sensitive information to an unauthorized user (CWE-200) - CVE-2021-3511
* Improper access control (CWE-284) - CVE-2021-3512
Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
|
CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-3511
|
CVSS V3 Severity:
Base Metrics:
7.5 (High) [IPA Score]
-
Attack Vector: Adjacent
-
Attack Complexity: High
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
The above CVSS base scores have been assigned for CVE-2021-3512
|
|
|
BUFFALO INC.
- BHR-4GRV firmware Ver.1.99 and prior
- DWR-HP-G300NH firmware Ver.1.83 and prior
- FS-600DHP firmware Ver.3.38 and prior
- FS-G300N firmware Ver.3.13 and prior
- FS-HP-G300N firmware Ver.3.32 and prior
- FS-R600DHP firmware Ver.3.39 and prior
- HW-450HP-ZWE firmware Ver.1.99 and prior
- WHR-300 firmware Ver.1.99 and prior
- WHR-300HP firmware Ver.1.99 and prior
- WHR-G301N firmware Ver.1.86 and prior
- WHR-HP-G300N firmware Ver.1.99 and prior
- WHR-HP-GN firmware Ver.1.86 and prior
- WPL-05G300 firmware Ver.1.87 and prior
- WZR-300HP firmware Ver.1.99 and prior
- WZR-450HP firmware Ver.1.99 and prior
- WZR-450HP-CWT firmware Ver.1.99 and prior
- WZR-450HP-UB firmware Ver.1.99 and prior
- WZR-600DHP firmware Ver.1.99 and prior
- WZR-D1100H firmware Ver.1.99 and prior
- WZR-HP-AG300H firmware Ver.1.75 and prior
- WZR-HP-G300NH firmware Ver.1.83 and prior
- WZR-HP-G301NH firmware Ver.1.83 and prior
- WZR-HP-G302H firmware Ver.1.85 and prior
- WZR-HP-G450H firmware Ver.1.89 and prior
|
|
|
* An unauthenticated network-adjacent attacker can possibly obtain information such as configuration. - CVE-2021-3511
* An unauthenticated network-adjacent attacker can start telnet service and execute arbitrary OS commands with root privileges. - CVE-2021-3512
|
|
[Update firmware]
Apply the appropriate firimware update according to the information provided by the developer.
The developer has released fixed versions listed below.
* BHR-4GRV firmware Ver.2.00
* DWR-HP-G300NH firmware Ver.1.84
* HW-450HP-ZWE firmware Ver.2.00
* WHR-300HP firmware Ver.2.00
* WHR-300 firmware Ver.2.00
* WHR-G301N firmware Ver.1.87
* WHR-HP-G300N firmware Ver.2.00
* WHR-HP-GN firmware Ver.1.87
* WPL-05G300 firmware Ver.1.88
* WZR-450HP-CWT firmware Ver.2.00
* WZR-450HP-UB firmware Ver.2.00
* WZR-HP-AG300H firmware Ver.1.76
* WZR-HP-G300NH firmware Ver.1.84
* WZR-HP-G301NH firmware Ver.1.84
* WZR-HP-G302H firmware Ver.1.86
* WZR-HP-G450H firmware Ver.1.90
* WZR-300HP firmware Ver.2.00
* WZR-450HP firmware Ver.2.00
* WZR-600DHP firmware Ver.2.00
* WZR-D1100H firmware Ver.2.00
* FS-HP-G300N firmware Ver.3.33
* FS-600DHP firmware Ver.3.40
* FS-R600DHP firmware Ver.3.40
* FS-G300N firmware Ver.3.14
|
|
BUFFALO INC.
|
|
- Information Exposure(CWE-200) [IPA Evaluation]
- Improper Access Control(CWE-284) [IPA Evaluation]
|
|
- CVE-2021-3511
- CVE-2021-3512
|
|
- JVN : JVNVU#99235714
- National Vulnerability Database (NVD) : CVE-2021-3511
- National Vulnerability Database (NVD) : CVE-2021-3512
|
|
- [2021/04/28]
Web page was published
- [2021/05/07]
Impact : Content was modified
|
