|
[Japanese]
|
JVNDB-2023-025113
|
BUFFALO LinkStation 200 series vulnerable to arbitrary code execution
|
|
LinkStation 200 series provided by BUFFALO INC. is a network attached storage (NAS).
LinkStation 200 series contains an arbitrary code execution vulnerability (CWE-354, CVE-2023-51073) due to insufficient verification of data authenticity during firmware update.
BUFFALO INC. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
|
|
CVSS V3 Severity:
Base Metrics 5.3 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
|
|
|
BUFFALO INC.
- LS210D firmware Ver. 1.08 and earlier
- LS220D firmware Ver. 1.08 and earlier
- LS220DB firmware Ver. 1.08 and earlier
- LS220DR firmware Ver. 1.08 and earlier
|
A wide range of products are affected. For the details, refer to the information provided by the developer.
|
|
A remote attacker may execute an arbitrary code with the root privilege via man-in-the-middle attack.
[Comment]
The analysis evaluates "Integrity Impact(I)" as the primary impact, where the affected product is tricked to download the crafted firmware data to execute.
|
|
[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
|
|
BUFFALO INC.
|
|
- Improper Validation of Integrity Check Value(CWE-354) [Other]
|
|
- CVE-2023-51073
|
|
- JVN : JVNVU#90953541
- National Vulnerability Database (NVD) : CVE-2023-51073
- Related document : github.com (CVE-2023-51073)
- Related document : www.buffalotech.com
|
|
- [2024/03/25]
Web page was published
|
