JVN#17964918
Multiple I-O DATA LAN routers vulnerable in UPnP functionality
Overview
NP-BBRS and WN-G54/R2 provided by I-O DATA DEVICE, INC. contain a vulnerability in the UPnP functionality.
Products Affected
- NP-BBRS with all firmware versions
- WN-G54/R2 with firmware prior to Ver.1.03
Description
A wired LAN router NP-BBRS and a wireless LAN router WN-G54/R2 provided by I-O DATA DEVICE, INC. contain a vulnerability in the UPnP functionality.
Impact
The device may be used in a DDoS attack, as a SSDP reflector.
Solution
For NP-BBRS:
Do not use NP-BBRS
The developer has stated that the support of NP-BBRS has been discontinued thus recommends users to stop using NP-BBRS.
Note that the successor to NP-BBRS, ETX2-RA, is not affected by this vulnerability.
For WN-G54/R2:
Update the Firmware
I-O DATA DEVICE, INC. has released firmware Ver.1.03 to address this vulnerability.
Update to the latest version of firmware according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| I-O DATA DEVICE, INC. | Vulnerable | 2015/08/18 | I-O DATA DEVICE, INC. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2015.08.18 (CVSS Base Metrics)
| Measures | Severity | Description | ||
|---|---|---|---|---|
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) | A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". |
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) | Specialized access conditions or extenuating circumstances do not exist. |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) | Authentication is not required to exploit the vulnerability. |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) | There is no impact to the confidentiality of the system. |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) | There is no impact to the integrity of the system. |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) | There is reduced performance or interruptions in resource availability. |
Base Score:5.0
Credit
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2015-2984 |
| JVN iPedia |
JVNDB-2015-000117 |