|
[Japanese]
|
JVNDB-2024-000125
|
Multiple vulnerabilities in I-O DATA routers UD-LT1 and UD-LT1/EX
|
|
UD-LT1 and UD-LT1/EX provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.
- Incorrect Permission Assignment for Critical Resource (CWE-732) - CVE-2024-45841
- OS Command Injection (CWE-78) - CVE-2024-47133
- Inclusion of Undocumented Features (CWE-1242) - CVE-2024-52564
The developer states that attacks exploiting these vulnerabilities have been observed.
CVE-2024-45841, CVE-2024-47133
Takeshi Kuramori, Kaori Takashima, and Kohei Masumi of National Institute of Information and Communications Technology, Cybersecurity Research Institute reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-52564
Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
|
CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-52564
|
CVSS V3 Severity:
Base Metrics
7.2 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-47133
|
CVSS V3 Severity:
Base Metrics
6.5 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-45841
|
|
|
I-O DATA DEVICE, INC.
- UD-LT1 firmware Ver.2.1.8 and earlier (CVE-2024-52564)
- UD-LT1 firmware Ver.2.1.9 and earlier (CVE-2024-45841, CVE-2024-47133)
- UD-LT1/EX firmware Ver.2.1.8 and earlier (CVE-2024-52564)
- UD-LT1/EX firmware Ver.2.1.9 and earlier (CVE-2024-45841, CVE-2024-47133)
|
|
|
- If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained (CVE-2024-45841)
- A logged-in user with an administrative account may execute an arbitrary OS command (CVE-2024-47133)
- A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered (CVE-2024-52564)
|
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
CVE-2024-45841, CVE-2024-47133
The developer has released the updates listed below that addresses these vulnerabilities.
- UD-LT1 firmware Ver.2.2.0
- UD-LT1/EX firmware Ver.2.2.0
CVE-2024-52564
The developer has released the updates listed below that addresses this vulnerability.
- UD-LT1 firmware Ver.2.1.9
- UD-LT1/EX firmware Ver.2.1.9
[Apply the workaround]
The developer states that the settings of the affected products should be checked and changed.
For more information, refer to the information provided by the developer.
|
|
I-O DATA DEVICE, INC.
|
|
- OS Command Injection(CWE-78) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2024-45841
- CVE-2024-47133
- CVE-2024-52564
|
|
- JVN : JVN#46615026
- IPA SECURITY ALERTS : Security Alert for Vulnerability in I-O DATA routers UD-LT1 and UD-LT1/EX (JVN#46615026) (in Japanese)
|
|
- [2024/12/04]
Web page was published
- [2024/12/18]
Affected Products : Product version was modified
Solution was modified
|
