|
[Japanese]
|
JVNDB-2024-000128
|
Multiple vulnerabilities in SHARP routers
|
|
SHARP routers contain multiple vulnerabilities listed below.
- OS command injection vulnerability in the HOST name configuration screen (CWE-78) - CVE-2024-45721
- The hidden debug function is enabled (CWE-489) - CVE-2024-46873
- Buffer overflow vulnerability in the hidden debug function (CWE-120) - CVE-2024-47864
- Improper authentication vulnerability in the configuration backup function (CWE-497) - CVE-2024-52321
- OS command injection vulnerability in the configuration restore function (CWE-78) - CVE-2024-54082
Shuto Imai of LAC Co., Ltd. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-46873
|
CVSS V3 Severity:
Base Metrics
7.2 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-45721
|
CVSS V3 Severity:
Base Metrics
7.2 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-54082
|
CVSS V3 Severity:
Base Metrics
5.9 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-52321
|
CVSS V3 Severity:
Base Metrics
5.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2024-47864
|
|
|
Sharp Corporation
- home 5G HR02 versions S5.82.00 and earlier (CVE-2024-45721, CVE-2024-46873, CVE-2024-47864, CVE-2024-52321, CVE-2024-54082 / For NTT DOCOMO, INC.)
- PocketWifi 809SH versions 01.00.B9 and earlier (CVE-2024-46873, CVE-2024-52321 / For SoftBank Corp.)
- Speed Wi-Fi NEXT W07 versions 02.00.48 and earlier (CVE-2024-46873, CVE-2024-52321 / For KDDI CORPORATION)
- Wi-Fi STATION SH-05L versions 01.00.C0 and earlier (CVE-2024-46873, CVE-2024-52321 / For NTT DOCOMO, INC.)
- Wi-Fi STATION SH-52B versions S3.87.11 and earlier (CVE-2024-45721, CVE-2024-46873, CVE-2024-47864, CVE-2024-52321 / For NTT DOCOMO, INC.)
- Wi-Fi STATION SH-54C versions S6.60.00 and earlier (CVE-2024-45721, CVE-2024-46873, CVE-2024-47864, CVE-2024-52321, CVE-2024-54082 / For NTT DOCOMO, INC.)
|
|
|
- An arbitrary OS command may be executed with the root privilege (CVE-2024-45721, CVE-2024-46873, CVE-2024-54082)
- The Web console of the product may be down (CVE-2024-47864)
- The product's backup files containing sensitive information may be retrieved (CVE-2024-52321)
|
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
|
|
KDDI
Sharp Corporation
SoftBank
NTT DOCOMO, INC.
|
|
- OS Command Injection(CWE-78) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2024-46873
- CVE-2024-45721
- CVE-2024-54082
- CVE-2024-52321
- CVE-2024-47864
|
|
- JVN : JVN#61635834
|
|
- [2024/12/17]
Web page was published
|
