[Japanese]

JVNDB-2023-002797

Multiple vulnerabilities in ELECOM and LOGITEC network devices

Overview

Multiple network devices provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities listed below.

* Hidden Functionality (CWE-912) - CVE-2023-32626, CVE-2023-35991, CVE-2023-39445
* Telnet service access restriction failure (CWE-284) - CVE-2023-38132
* Hidden Functionality (CWE-912) - CVE-2023-38576
* Buffer overflow (CWE-120) - CVE-2023-39454
* OS Command Injection (CWE-78) - CVE-2023-39455, CVE-2023-40072
* OS Command Injection (CWE-78) - CVE-2023-39944, CVE-2023-40069

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [NVD Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-32626, CVE-2023-35991, CVE-2023-39445


CVSS V3 Severity:
Base Metrics:8.8 (High) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-38132


CVSS V3 Severity:
Base Metrics:8.8 (High) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-39454


CVSS V3 Severity:
Base Metrics:8.8 (High) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-39944, CVE-2023-40069


CVSS V3 Severity:
Base Metrics:6.8 (Medium) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-38576


CVSS V3 Severity:
Base Metrics:6.8 (Medium) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2023-39455, CVE-2023-40072
Affected Products


ELECOM CO.,LTD.
  • WAB-I1750-PS v1.5.10 and earlier
  • WAB-S1167-PS v1.5.6 and earlier
  • WAB-M1775-PS firmware v1.1.21 and earlier (CVE-2023-40072)
  • WAB-M2133 firmware v1.3.22 and earlier (CVE-2023-40072)
  • WAB-S1167 firmware v1.0.7 and earlier (CVE-2023-40072)
  • WAB-S1775 firmware v1.1.9 and earlier (CVE-2023-40072)
  • WAB-S300 all versions (CVE-2023-40072)
  • WAB-S600-PS all versions (CVE-2023-40072)
  • WRC-1167GHBK2 firmware all versions (CVE-2023-40069)
  • WRC-1467GHBK-A all versions (CVE-2023-39455)
  • WRC-1467GHBK-S all versions (CVE-2023-39455)
  • WRC-1750GHBK firmware all versions (CVE-2023-39944)
  • WRC-1750GHBK firmware all versions (CVE-2023-40069)
  • WRC-1750GHBK-E firmware all versions (CVE-2023-40069)
  • WRC-1750GHBK2-I firmware all versions (CVE-2023-40069)
  • WRC-1900GHBK-A all versions (CVE-2023-39455)
  • WRC-1900GHBK-S all versions (CVE-2023-39455)
  • WRC-600GHBK-A all versions (CVE-2023-39455)
  • WRC-733FEBK2-A all versions (CVE-2023-39455)
  • WRC-F1167ACF firmware all versions (CVE-2023-39944)
  • WRC-F1167ACF firmware all versions (CVE-2023-40069)
  • WRC-F1167ACF2 all versions (CVE-2023-39455)
  • WRC-X1800GS-B v1.13 and earlier (CVE-2023-39454)
  • WRC-X1800GSA-B v1.13 and earlier (CVE-2023-39454)
  • WRC-X1800GSH-B v1.13 and earlier (CVE-2023-39454)
Logitec Corp.
  • LAN-W300N/DR all versions (CVE-2023-35991)
  • LAN-W300N/P firmware all versions (CVE-2023-35991)
  • LAN-W300N/PR5 all versions (CVE-2023-32626)
  • LAN-W300N/RS firmware all versions (CVE-2023-32626)
  • LAN-W451NGR all versions (CVE-2023-38132)
  • LAN-WH300AN/DGP all versions (CVE-2023-35991)
  • LAN-WH300ANDGPE all versions (CVE-2023-35991)
  • LAN-WH300N/DGP firmware all versions (CVE-2023-35991)
  • LAN-WH300N/DR all versions (CVE-2023-35991)
  • LAN-WH300N/RE all versions (CVE-2023-38576, CVE-2023-39445)
  • LAN-WH450N/GP all versions (CVE-2023-35991)

Impact

* An unauthenticated attacker may log in to the product's certain management console and execute arbitrary OS commands - CVE-2023-32626, CVE-2023-35991
* An unauthenticated attacker may log in to telnet service - CVE-2023-38132
* An authenticated user may execute arbitrary OS commands on a certain management console - CVE-2023-38576
* An unauthenticated attacker may execute arbitrary code by sending a specially crafted file to the product's certain management console - CVE-2023-39445
* An unauthenticated attacker may execute arbitrary code - CVE-2023-39454
* An authenticated user may execute an arbitrary OS command by sending a specially crafted request - CVE-2023-39455, CVE-2023-40072
* An attacker who can access the product may execute an arbitrary OS command by sending a specially crafted request - CVE-2023-39944, CVE-2023-40069
Solution

[Update the firmware]
For WRC-X1800GS-B, WRC-X1800GSA-B, WRC-X1800GSH-B, WAB-M1775-PS, WAB-S1775, WAB-S1167, WAB-M2133, WAB-I1750-PS, and WAB-S1167-PS, update the firmware to the latest version according to the information provided by the developer.

[Apply the workaround]
For WAB-S600-PS and WAB-S300, applying the following workarounds may mitigate the impact of CVE-2023-40072 issue.

* Change the setting page's login password
* Do not access other websites while logged in to the setting page
* Close the web browser after finishing operations on the setting page
* Delete the password for the setting page saved in the web browser

[Stop using the products]
According to the developer, the rest of the affected products are no longer supported. Stop using the vulnerable products and consider switching to alternatives.
Vendor Information

ELECOM CO.,LTD.
CWE (What is CWE?)

  1. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')(CWE-120) [Other]
  2. Improper Access Control(CWE-284) [Other]
  3. OS Command Injection(CWE-78) [Other]
  4. Hidden Functionality(CWE-912) [Other]
CVE (What is CVE?)

  1. CVE-2023-32626
  2. CVE-2023-35991
  3. CVE-2023-38132
  4. CVE-2023-38576
  5. CVE-2023-39445
  6. CVE-2023-39454
  7. CVE-2023-39455
  8. CVE-2023-39944
  9. CVE-2023-40069
  10. CVE-2023-40072
References

  1. JVN : JVNVU#91630351
  2. National Vulnerability Database (NVD) : CVE-2023-32626
  3. National Vulnerability Database (NVD) : CVE-2023-35991
  4. National Vulnerability Database (NVD) : CVE-2023-38132
  5. National Vulnerability Database (NVD) : CVE-2023-38576
  6. National Vulnerability Database (NVD) : CVE-2023-39445
  7. National Vulnerability Database (NVD) : CVE-2023-39454
  8. National Vulnerability Database (NVD) : CVE-2023-39455
  9. National Vulnerability Database (NVD) : CVE-2023-39944
  10. National Vulnerability Database (NVD) : CVE-2023-40069
  11. National Vulnerability Database (NVD) : CVE-2023-40072
Revision History

  • [2023/08/15]
      Web page was published
  • [2023/11/16]
      Affected Products : Products were added
      Vendor Information : Content was added
      Solution was modified
  • [2024/01/24]
      Affected Products : Product was added
      Solution was modified
  • [2024/02/22]
      CVSS Severity was modified
      Affected Products : Product was added
      Vendor Information : Content was modified
      Solution was modified
      References : Contents were added
  • [2024/08/29]
      Vendor Information: Contents were added
      Solution was modified
      Affected Products : Products were added