[Japanese]
|
JVNDB-2024-012461
|
Multiple vulnerabilities in SoftBank Mesh Wi-Fi router RP562B
|
Mesh Wi-Fi router RP562B provided by SoftBank Corp. contains multiple vulnerabilities listed below.
* Active debug code (CWE-489) - CVE-2024-29075
* OS command injection (CWE-78) - CVE-2024-45827
* Exposure of sensitive system information to an unauthorized control sphere (CWE-497) - CVE-2024-47799
Samy Younsi of NeroTeam Security Labs reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
CVSS V3 Severity: Base Metrics 8.0 (High) [Other]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-45827
|
CVSS V3 Severity:
Base Metrics:4.6 (Medium) [Other]
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-29075
|
CVSS V3 Severity:
Base Metrics:3.5 (Low) [Other]
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
|
The attack scenarios above assume that an attacker would be authenticated and connect to the same Wi-Fi network as the affected product to exploit it. Therefore, "PR (Privileges Required)" are evaluated as Low (L).
|
|
|
SoftBank
- Mesh Wi-Fi router RP562B firmware version v1.0.2 and earlier
|
|
* An authenticated attacker may obtain or alter the settings of the device (CVE-2024-29075)
* An authenticated attacker may execute an arbitrary OS command (CVE-2024-45827)
* An authenticated attacker may obtain information about devices connected through the Wi-Fi (CVE-2024-47799)
|
[Update the firmware]
According to the developer, the firmware that fixes these vulnerabilities is applied automatically.
|
SoftBank
|
- Active Debug Code(CWE-489) [Other]
- Exposure of Sensitive System Information to an Unauthorized Control Sphere(CWE-497) [Other]
- OS Command Injection(CWE-78) [Other]
|
- CVE-2024-29075
- CVE-2024-45827
- CVE-2024-47799
|
- JVN : JVNVU#90676195
|
- [2024/11/13]
Web page was published
- [2024/11/26]
CVSS Severity was modified
|