[Japanese]

JVNDB-2024-003067

Multiple vulnerabilities in PLANEX COMMUNICATIONS wireless LAN routers

Overview

Wireless LAN routers provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities listed below.

* Active debug code (CWE-489) - CVE-2024-30219
* Command Injection on certain port (CWE-77) - CVE-2024-30220

Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-30220

CVSS V3 Severity:
Base Metrics6.8 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-30219
Affected Products


PLANEX COMMUNICATIONS INC.
  • MZK-MF300HP2 firmware versions 1.18 and earlier
  • MZK-MF300N all firmware versions

Impact

* If a logged-in user who knows how to use the debug function accesses the device's management page, an unintended operation may be performed (CVE-2024-30219)

* An unauthenticated attacker may execute an arbitrary command by sending a specially crafted request to certain port (CVE-2024-30220)
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.

[Stop using the product]
According to the developer, MZK-MF300N is no longer supported. Stop using the product.

For more information, refer to the information provided by the developer.
Vendor Information

PLANEX COMMUNICATIONS INC.
CWE (What is CWE?)

  1. Active Debug Code(CWE-489) [Other]
  2. Command Injection(CWE-77) [Other]
CVE (What is CVE?)

  1. CVE-2024-30219
  2. CVE-2024-30220
References

  1. JVN : JVNVU#91975826
Revision History

  • [2024/04/05]
      Web page was published
  • [2025/02/27]
      Title was modified
      Overview was modified
      Affected Products : Product was added 
      Solution was modified

Date Public2024/04/04
Date First Published2024/04/05
Date Last Updated2024/04/05