[Japanese]

JVNDB-2024-001804

Multiple buffer overflow vulnerabilities in HOME SPOT CUBE2

Overview

HOME SPOT CUBE2 provided by KDDI CORPORATION contains multiple vulnerabilities listed below.

* Stack-based buffer overflow (CWE-121) - CVE-2024-21780
* Heap-based buffer overflow (CWE-122) - CVE-2024-23978

Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-23978


CVSS V3 Severity:
Base Metrics:6.5 (Medium) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-21780
Affected Products


KDDI
  • HOME SPOT CUBE2 V102 and earlier

Impact

* Processing a specially crafted command may result in a denial of service (DoS) condition - CVE-2024-21780
* By processing invalid values, arbitrary code may be executed - CVE-2024-23978
Solution

[Apply the workaround]

* Connect the product only to a trusted network

The affected products are no longer supported and updates will be not be provided.
For more information, refer to the information provided by KDDI CORPORATION.

Vendor Information

KDDI
CWE (What is CWE?)

  1. Stack-based Buffer Overflow(CWE-121) [Other]
  2. Heap-based Buffer Overflow(CWE-122) [Other]
CVE (What is CVE?)

  1. CVE-2024-21780
  2. CVE-2024-23978
References

  1. JVN : JVNVU#93740658
Revision History

  • [2024/02/06]
      Web page was published