[Japanese]
|
JVNDB-2024-000078
|
Multiple vulnerabilities in ELECOM wireless LAN routers
|
Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.
Unrestricted Upload of File with Dangerous Type (CWE-434)
CVE-2024-34021
OS Command Injection (CWE-78)
CVE-2024-39607
Cross-Site Request Forgery (CWE-352)
CVE-2024-40883
CVE-2024-34021
Toyama Taku, and Daichi Arai of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-39607, CVE-2024-40883
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 6.8 (Medium) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-34021
|
CVSS V3 Severity:
Base Metrics:6.8 (Medium) [Other]
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-39607
|
CVSS V3 Severity:
Base Metrics:6.5 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-40883
|
|
ELECOM CO.,LTD.
- WRC-1167GST2 firmware v1.32 and earlier (CVE-2024-34021)
- WRC-2533GS2-B v1.68 and earlier (CVE-2024-34021)
- WRC-2533GS2-W v1.68 and earlier (CVE-2024-34021)
- WRC-2533GS2V-B v1.68 and earlier (CVE-2024-34021)
- WRC-2533GST2 firmware v1.30 and earlier (CVE-2024-34021)
- WRC-X1500GS-B v1.11 and earlier (CVE-2024-39607, CVE-2024-40883)
- WRC-X1500GSA-B v1.11 and earlier (CVE-2024-39607, CVE-2024-40883)
- WRC-X1800GS-B v1.18 and earlier (CVE-2024-39607, CVE-2024-40883)
- WRC-X1800GSA-B v1.18 and earlier (CVE-2024-39607, CVE-2024-40883)
- WRC-X1800GSH-B v1.18 and earlier (CVE-2024-39607, CVE-2024-40883)
- WRC-X3000GS2-B firmware v1.08 and earlier (CVE-2024-39607, CVE-2024-40883)
- WRC-X3000GS2-W firmware v1.08 and earlier (CVE-2024-39607, CVE-2024-40883)
- WRC-X3000GS2A-B firmware v1.08 and earlier (CVE-2024-39607, CVE-2024-40883)
- WRC-X6000XS-G v1.11 and earlier (CVE-2024-39607, CVE-2024-40883)
- WRC-X6000XST-G v1.14 and earlier (CVE-2024-39607, CVE-2024-40883)
|
|
* A specially crafted file may be uploaded to the affected product by a logged-in user with an administrative privilege, resulting in an arbitrary OS command execution (CVE-2024-34021)
* A specially crafted request may be sent to the affected product by a logged-in user with an administrative privilege to execute an arbitrary OS command (CVE-2024-39607)
* Viewing a malicious page while logging in to the affected product with an administrative privilege, the user may be directed to perform unintended operations such as changing the login ID, login password, etc. (CVE-2024-40883)
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
|
ELECOM CO.,LTD.
|
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2024-34021
- CVE-2024-39607
- CVE-2024-40883
|
- JVN : JVN#06672778
|
- [2024/07/30]
Web page was published
- [2024/09/24]
Affected Products : Products were added
- [2024/11/26]
Affected Products : Products were added
|