[Japanese]

JVNDB-2024-014793

Multiple vulnerabilities in FXC AE1021 and AE1021PE

Overview

AE1021 and AE1021PE are information outlet type wireless LAN routers provided by FXC Inc. They contain multiple vulnerabilities listed below.

* Weak Authentication (CWE-1390) - CVE-2024-47397
* OS Command Injection (CWE-78) - CVE-2024-53688
* Inclusion of Undocumented Features (CWE-1242) - CVE-2024-54457

Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-47397

CVSS V3 Severity:
Base Metrics7.2 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-53688

CVSS V3 Severity:
Base Metrics7.2 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-54457
Affected Products


FXC Inc.
  • Wireless LAN router AE1021 firmware versions 2.0.10 and earlier
  • Wireless LAN router AE1021PE firmware versions 2.0.10 and earlier

Impact

* The authentication may be bypassed with an undocumented specific string (CVE-2024-47397)
* A logged-in user may execute an arbitrary OS command using a crafted HTTP request (CVE-2024-53688)
* A logged-in user may enable telnet service (CVE-2024-54457)
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

FXC Inc.
CWE (What is CWE?)

  1. Inclusion of Undocumented Features or Chicken Bits(CWE-1242) [Other]
  2. Weak Authentication(CWE-1390) [Other]
  3. OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)

  1. CVE-2024-47397
  2. CVE-2024-53688
  3. CVE-2024-54457
References

  1. JVN : JVNVU#91084137
Revision History

  • [2024/12/16]
      Web page was published

Date Public2024/12/13
Date First Published2024/12/16
Date Last Updated2024/12/16