[Japanese]

JVNDB-2021-003929

Multiple vulnerabilities in multiple Yamaha routers

Overview

Multiple routers provided by Yamaha Corporation contain multiple vulnerabilities listed below.

* Cross-site script inclusion (CWE-829) - CVE-2021-20843
* Improper neutralization of HTTP request headers for scripting syntax (CWE-644) - CVE-2021-20844

Shoji Baba of IERAE SECURITY INC. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.8 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 3.5 (Low) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20843

CVSS V3 Severity:
Base Metrics3.7 (Low) [Other]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20844
Affected Products


Yamaha Corporation
  • NVR510 Rev.15.01.18 and earlier
  • NVR700W Rev.15.00.19 and earlier
  • RTX1210 Rev.14.01.38 and earlier
  • RTX830 Rev.15.02.17 and earlier

Impact

* If a user views a malicious page created by an attacker while logging in to the Web GUI of the affected product, the product's settings may be changed unintentionally - CVE-2021-20843, CVE-2021-20844
* If a user views a malicious page created by an attacker while logging in to the Web GUI of the affected product, sensitive information may be obtained - CVE-2021-20844
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
The developer has released the following versions that contain fixes for these vulnerabilities.

* RTX830 Rev.15.02.20
* NVR510 Rev.15.01.21
* NVR700W Rev.15.00.22
* RTX1210 Rev.14.01.40


[Apply a workaround]
If the latest version of firmware cannot be obtained or firmware update cannot be applied, applying either of the following workarounds may mitigate the impacts of these vulnerabilities

* Set httpd service off and disable HTTP server function.
* Set httpd host none and prohibit access to the GUI from all hosts.
Vendor Information

Yamaha Corporation NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
CWE (What is CWE?)

  1. Improper Neutralization of HTTP Headers for Scripting Syntax(CWE-644) [Other]
  2. Inclusion of Functionality from Untrusted Control Sphere(CWE-829) [Other]
CVE (What is CVE?)

  1. CVE-2021-20843
  2. CVE-2021-20844
References

  1. JVN : JVNVU#91161784
  2. National Vulnerability Database (NVD) : CVE-2021-20843
  3. National Vulnerability Database (NVD) : CVE-2021-20844
Revision History

  • [2021/12/24]
      Web page was published

Date Public2021/11/09
Date First Published2021/12/24
Date Last Updated2021/12/24