Published:2018/02/20  Last Updated:2018/02/23

JVN#83834277
Multiple vulnerabilities in FS010W

Overview

FS010W provided by FUJI SOFT INCORPORATED contains multiple vulnerabilities.

Products Affected

  • FS010W firmware FS010W_00_V1.3.0 and earlier

Description

FS010W provided by FUJI SOFT INCORPORATED is a WiFi router. FS010W contains multiple vulnerabilities listed below.

  • Stored cross-site scripting (CWE-79) - CVE-2018-0519
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score: 4.3
    CVSS v2 AV:A/AC:L/Au:S/C:N/I:P/A:N Base Score: 2.7
  • Cross-site request forgery (CWE-352) - CVE-2018-0520
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Base Score: 7.1
    CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N Base Score: 4.0

Impact

The possible impact of each vulnerability is as follows:

  • An arbitrary script may be executed on the web browser of a user who is logging in the setting tool of the device - CVE-2018-0519
  • If a user views a malicious page while logged in the setting tool of the affected product, unintended operations such as changing settings of the device may be conducted. - CVE-2018-0520

Solution

Apply Workarounds
Applying all workarounds listed below may mitigate the impacts of these vulnerabilities.

  • Change the initial login password set in the setting tool
  • Do not access other websites while logged into the setting tool
  • Close the web browser after completing settings of the device using the setting tool

Vendor Status

Vendor Status Last Update Vendor Notes
FUJI SOFT INCORPORATED Vulnerable 2018/02/20 FUJI SOFT INCORPORATED website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Manabu Kobayashi reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-0519
CVE-2018-0520
JVN iPedia JVNDB-2018-000015

Update History

2018/02/23
JVN iPedia link was added under the section [Other Information]