|
[Japanese]
|
JVNDB-2023-002413
|
Multiple vulnerabilities in ELECOM and LOGITEC wireless LAN routers
|
|
Multiple wireless LAN routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities listed below.
* Command Injection on the web management page (CWE-77) - CVE-2023-37566, CVE-2023-37568
* Command Injection on a certain port of the web management page (CWE-77) - CVE-2023-37567
Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
|
CVSS V3 Severity:
Base Metrics 9.8 (Critical) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.5 (High) [NVD Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-37567
|
CVSS V3 Severity:
Base Metrics
6.8 (Medium) [JPCERT/CC Score]
-
Attack Vector: Adjacent Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
5.2 (Medium)
[JPCERT/CC Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-37566
|
CVSS V3 Severity:
Base Metrics
6.8 (Medium) [JPCERT/CC Score]
-
Attack Vector: Adjacent Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
5.2 (Medium)
[JPCERT/CC Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-37568
|
|
|
ELECOM CO.,LTD.
- WRC-1167FEBK-A v1.18 and earlier
- WRC-1167GEBK-S v1.03 and earlier
- WRC-1167GHBK-S v1.03 and earlier
- WRC-1167GHBK3-A v1.24 and earlier
- WRC-1467GHBK-A all versions
- WRC-1900GHBK-A all versions
- WRC-600GHBK-A all versions
- WRC-733FEBK2-A all versions
- WRC-F1167ACF2 all versions
Logitec Corp.
- LAN-W301NR firmware all versions
|
|
|
* A network-adjacent authenticated attacker may execute an arbitrary command by sending a specially crafted request to the web management page - CVE-2023-37566, CVE-2023-37568
* A remote unauthenticated attacker may execute an arbitrary command by sending a specially crafted request to a certain port of the web management page - CVE-2023-37567
|
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
[Stop using the products]
Some vulnerable products are no longer supported. For more information, refer to the security advisory from the developer and stop using the products.
|
|
ELECOM CO.,LTD.
|
|
- Command Injection(CWE-77) [Other]
|
|
- CVE-2023-37566
- CVE-2023-37567
- CVE-2023-37568
|
|
- JVN : JVNVU#91850798
- National Vulnerability Database (NVD) : CVE-2023-37566
- National Vulnerability Database (NVD) : CVE-2023-37567
- National Vulnerability Database (NVD) : CVE-2023-37568
|
|
- [2023/07/12]
Web page was published
- [2023/08/15]
Title was modified
Overview was modified
CVSS Severity was modified
Affected Products : Products were added
Affected Products : Product version was modified
Impact was modified
Solution was modified
- [2023/08/15]
Vendor Information : Content was modified
- [2024/04/22]
References : Contents were added
|
