[Japanese]

JVNDB-2023-006578

ASUSTeK COMPUTER RT-AC87U vulnerable to improper access control

Overview

RT-AC87U provided by ASUSTeK COMPUTER INC. contains an improper access control vulnerability (CWE-284).

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


ASUSTeK Computer Inc.
  • RT-AC87U firmware all versions

Impact

An attacker may read or write files that are not intended to be accessed.
Solution

[Stop using the products and switch to alternative products]
The developer states that the support for the affected product ended in May 2021, and the firmware updates will not be provided.
The developer recommends users to use alternative unaffected products.

[Apply the Workarounds]
The developer recommends to stop the tftpd while using the affected device.
You can enable SSH from the web UI, connect to the device via SSH and do "killall tftpd".

For more information, please contact the developer.
Vendor Information

ASUSTeK Computer Inc.
CWE (What is CWE?)

  1. Improper Access Control(CWE-284) [Other]
CVE (What is CVE?)

  1. CVE-2023-47678
References

  1. JVN : JVNVU#96079387
  2. National Vulnerability Database (NVD) : CVE-2023-47678
Revision History

  • [2023/11/15]
      Web page was published
  • [2024/04/30]
      References : Content was added