[Japanese]

JVNDB-2024-000102

Multiple NTT EAST Home GateWay/Hikari Denwa routers fail to restrict access permissions

Overview

Multiple Home GateWay/Hikari Denwa routers provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION fail to restrict access permissions (CWE-451).

Keishi Awata of logicalmixed reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
  • PR-400MI firmware Ver.09.00.0015 and earlier
  • RT-400MI firmware Ver.09.00.0015 and earlier
  • RV-440MI firmware Ver.09.00.0015 and earlier
  • PR-600MI Ver.01.00.0008 and earlier
  • RX-600MI Ver.01.00.0008 and earlier
  • PR-500MI Ver.08.00.0004 and earlier
  • RS-500MI Ver.08.00.0004 and earlier
  • RT-500MI Ver.08.00.0004 and earlier

Note that, above products are also provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION (NTT WEST), but the vulnerability only affects products subscribed and used in NTT EAST areas.
Impact

An attacker who identified WAN-side IPv6 address may access the product's Device Setting page via WAN-side.
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-47044
References

  1. JVN : JVN#78356367
Revision History

  • [2024/09/24]
      Web page was published
  • [2024/10/18]
      Vendor Information : Content was added 

Date Public2024/09/24
Date First Published2024/09/24
Date Last Updated2024/10/18