|
[Japanese]
|
JVNDB-2022-000066
|
Multiple vulnerabilities in CentreCOM AR260S V2
|
|
CentreCOM AR260S V2 provided by Allied Telesis K.K. contains multiple vulnerabilities listed below.
* OS command injection vulnerability in GUI setting page (CWE-78) - CVE-2022-35273
* Use of hard-coded credentials for the telnet server (CWE-798) - CVE-2022-38394
* Undocumented hidden command that can be excuted from the telnet function (CWE-912) - CVE-2022-34869
* OS command injection vulnerability in the telnet function (CWE-78) - CVE-2022-38094
Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 8.1 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 9.3 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2022-38394
|
CVSS V3 Severity:
Base Metrics
8.8 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
9.0 (High)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Complete
-
Integrity Impact: Complete
-
Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2022-35273
|
CVSS V3 Severity:
Base Metrics
7.5 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
7.1 (High)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: Single
-
Confidentiality Impact: Complete
-
Integrity Impact: Complete
-
Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2022-34869
|
CVSS V3 Severity:
Base Metrics
7.5 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
7.1 (High)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: Single
-
Confidentiality Impact: Complete
-
Integrity Impact: Complete
-
Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2022-38094
|
|
|
Allied Telesis
- CentreCOM AR260S V2 firmware versions prior to Ver.3.3.7
|
|
|
A remote attacker may execute an arbitrary OS command.
|
|
[Update the firmware and Change passwords]
Update the firmware to the latest version according to the information provided by the developer, and then change all passwords including "guest" account passwords.
[Apply the workaround]
Applying the following workarounds may mitigate the impacts of these vulnerabilities.
* Enable the Firewall protection
* Change all passwords including "guest" account passwords
|
|
Allied Telesis
|
|
- Improper Authentication(CWE-287) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2022-35273
- CVE-2022-38394
- CVE-2022-34869
- CVE-2022-38094
|
|
- JVN : JVN#45473612
|
|
- [2022/08/29]
Web page was published
|
