|
[Japanese]
|
JVNDB-2023-000059
|
Multiple vulnerabilities in Inaba Denki Sangyo Wi-Fi AP UNIT
|
|
Wi-Fi AP UNIT provided by Inaba Denki Sangyo Co., Ltd. contains multiple vulnerabilities listed below.
- Missing authentication for critical function (CWE-306) - CVE-2023-31196
- OS command injection (CWE-78) - CVE-2023-31198
- OS command injection (CWE-78) - CVE-2023-28392
MASAHIRO IIDA of LAC Co., Ltd. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 7.2 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-31198
|
CVSS V3 Severity:
Base Metrics
7.5 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
5.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-31196
|
CVSS V3 Severity:
Base Metrics
7.2 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
6.5 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-28392
|
|
|
INABA DENKI SANGYO CO., LTD.
- AC-PD-WAPU v1.05_B04 and earlier
- AC-PD-WAPU-P v1.05_B04P and earlier
- AC-PD-WAPUM v1.05_B04 and earlier
- AC-PD-WAPUM-P v1.05_B04P and earlier
- AC-WAPU-300 v1.00_B07 and earlier
- AC-WAPU-300-P v1.00_B07 and earlier
- AC-WAPUM-300 v1.00_B07 and earlier
- AC-WAPUM-300-P v1.00_B07 and earlier
|
|
|
- A remote attacker may obtain sensitive information of the affected products - CVE-2023-31196
- An arbitrary OS command may be executed if a remote authenticated attacker with an administrative privilege sends a specially crafted request - CVE-2023-31198
- An arbitrary OS command may be executed by an authenticated user with the administrative privilege - CVE-2023-28392
|
|
[Apply the workaround]
The developer states that these products are no longer supported, therefore recommends users to apply the following workarounds to mitigate the impacts of these vulnerabilities.
- Change the initial configuration values
- Change device operation settings
- Prohibit access from WAN/Wireless interface (Only allow access through the front LAN port)
- Change filtering configuration
- Set the MAC address of the client to allow wireless connection
- Configure VPN, IP filters, etc. to restrict connections from the client
- Additional mitigation guidance/practices
- Setup a firewall and run the product behind it
- Do not access to other websites while logged into the setting page of the product
- Close the web browser after finishing the operation in the setting page
- Delete the password for the setting page saved in the web browser
|
|
INABA DENKI SANGYO CO., LTD.
|
|
- Improper Authentication(CWE-287) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
|
|
- CVE-2023-31196
- CVE-2023-31198
- CVE-2023-28392
|
|
- JVN : JVN#28412757
- JVN : JVNVU#98968780
|
|
- [2023/06/09]
Web page was published
- [2023/06/14]
CVSS Severity was modified
|
