JVN#24348065
Multiple vulnerabilities in HOME SPOT CUBE2

Overview

HOME SPOT CUBE2 provided by KDDI CORPORATION contains multiple vulnerabilities.

Products Affected

• HOME SPOT CUBE2 firmware ​V101 and earlier

Description

HOME SPOT CUBE2 provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE2 contains multiple vulnerabilities listed below.

• OS command injection in Clock Settings (CWE-78) - CVE-2017-2183

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 6.8
  CVSS v2	AV:A/AC:L/Au:S/C:P/I:P/A:P	Base Score: 5.2

• Buffer overflow in WebUI (CWE-119) - CVE-2017-2184

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.8
  CVSS v2	AV:A/AC:L/Au:N/C:P/I:P/A:P	Base Score: 5.8

• OS command injection in WebUI (CWE-78) - CVE-2017-2185

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 6.8
  CVSS v2	AV:A/AC:L/Au:S/C:P/I:P/A:P	Base Score: 5.2

• Improper authentication in WebUI (CWE-287) - CVE-2017-2186

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	Base Score: 6.5
  CVSS v2	AV:A/AC:L/Au:N/C:N/I:P/A:N	Base Score: 3.3

Impact

The impact of each vulnerability is as follows.

• An arbitrary OS command may be executed by an attacker who can access the management screen of the product -- CVE-2017-2183, CVE-2017-2185
• Arbitrary code may be executed by an attacker who can access the management screen of the product -- CVE-2017-2184
• Firmware may be altered by an attacker who can access the management screen of the product -- CVE-2017-2186

Solution

Update the Firmware
Apply the appropriate firmware update provided by the developer.