[Japanese]

JVNDB-2024-003067

Multiple vulnerabilities in PLANEX COMMUNICATIONS wireless LAN router MZK-MF300N

Overview

Wireless LAN router MZK-MF300N provided by PLANEX COMMUNICATIONS INC. contains multiple vulnerabilities listed below.

* Active debug code (CWE-489)
* Command Injection on certain port (CWE-77)

Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-30220

CVSS V3 Severity:
Base Metrics6.8 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-30219
Affected Products


PLANEX COMMUNICATIONS INC.
  • MZK-MF300N all firmware versions

Impact

* If a logged-in user who knows how to use the debug function accesses the device's management page, an unintended operation may be performed (CVE-2024-30219)

* An unauthenticated attacker may execute an arbitrary command by sending a specially crafted request to certain port (CVE-2024-30220)
Solution

[Stop using the product]
According to the developer, the affected product is no longer supported. Stop using the product.
Vendor Information

PLANEX COMMUNICATIONS INC.
CWE (What is CWE?)

  1. Active Debug Code(CWE-489) [Other]
  2. Command Injection(CWE-77) [Other]
CVE (What is CVE?)

  1. CVE-2024-30219
  2. CVE-2024-30220
References

  1. JVN : JVNVU#91975826
Revision History

  • [2024/04/05]
      Web page was published

Date Public2024/04/04
Date First Published2024/04/05
Date Last Updated2024/04/05