Published:2023/03/31  Last Updated:2023/09/06

JVN#40604023
Multiple vulnerabilities in Seiko Solutions SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210
Critical

Overview

SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210 provided by Seiko Solutions Inc. contain multiple vulnerabilities.

Products Affected

CVE-2022-36556, CVE-2022-36557, CVE-2022-36558, CVE-2023-22361, CVE-2023-23906, CVE-2023-24586, CVE-2023-25070, CVE-2023-25072

  • SkyBridge MB-A100/110 firmware Ver. 4.2.0 and earlier
CVE-2016-2183, CVE-2022-36559, CVE-2022-36560, CVE-2023-22441, CVE-2023-23578, CVE-2023-23901, CVE-2023-25184
  • SkyBridge MB-A200 firmware Ver. 01.00.05 and earlier
CVE-2023-22441, CVE-2023-23901, CVE-2023-25184
  • SkyBridge BASIC MB-A130 firmware Ver. 1.4.1 and earlier
CVE-2023-25184
  • SkySpider MB-R210 firmware Ver. 1.01.00 and earlier

Description

SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210 provided by Seiko Solutions Inc. contain multiple vulnerabilities listed below.

  • Exposure of sensitive information to an unauthorized actor (CWE-200) - CVE-2016-2183
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 7.5
    CVSS v2 AV:N/AC:L/Au:N/C:C/I:N/A:N Base Score: 7.8
  • Command injection (CWE-77) - CVE-2022-36556
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5
  • Unrestricted upload of file with dangerous type (CWE-434) - CVE-2022-36557
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
  • Use of hard-coded credentials (CWE-798) - CVE-2022-36558
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 6.2
    CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N Base Score: 2.1
  • Command injection (CWE-77) - CVE-2022-36559
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5
  • Use of hard-coded credentials (CWE-798) - CVE-2022-36560
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 6.2
    CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N Base Score: 2.1
  • Improper privilege management (CWE-269) - CVE-2023-22361
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
  • Missing authentication for critical function (CWE-306) - CVE-2023-22441
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Base Score: 8.6
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:C Base Score: 9.0
  • Improper access control (CWE-284) - CVE-2023-23578
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0
  • Improper following of a certificate's chain of trust (CWE-296) - CVE-2023-23901
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 4.8
    CVSS v2  AV:N/AC:H/Au:N/C:P/I:P/A:N Base Score: 4.0
  • Missing authentication for critical function (CWE-306) - CVE-2023-23906
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score: 7.5
    CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:C Base Score: 7.8
  • Cleartext storage of sensitive information (CWE-312) - CVE-2023-24586
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 3.1
    CVSS v2 AV:N/AC:M/Au:S/C:P/I:N/A:N Base Score: 3.5
  • Cleartext transmission of sensitive information (CWE-319) - CVE-2023-25070
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 4.8
    CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N Base Score: 4.0
  • Use of weak credentials (CWE-1391) - CVE-2023-25072
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 6.5
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:N Base Score: 6.4
  • Use of weak credentials (CWE-1391) - CVE-2023-25184
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0
The developer states that attacks exploiting CVE-2022-36556 have been observed.

Impact

  • A remote attacker may decrypt the communication sent to the WebUI of the product - CVE-2016-2183
  • A user may execute an arbitrary OS command with an administrative privilege of the product - CVE-2022-36556
  • A user may update files or execute an arbitrary command with an administrative privilege of the product - CVE-2022-36557
  • A local attacker may access to the product with an administrative privilege of the product - CVE-2022-36558、CVE-2022-36560
  • A remote attacker may execute an arbitrary OS command with an administrative privilege of the product - CVE-2022-36559
  • A user may alter a WebUI password of the product - CVE-2023-22361
  • A remote attacker may obtain or alter the setting information of the product or execute some critical functions without authentication, e.g., rebooting the product - CVE-2023-22441
  • A remote attacker may connect to the product's ADB port - CVE-2023-23578
  • A remote attacker may eavesdrop on or alter the communication sent to the WebUI of the product - CVE-2023-23901
  • A remote attacker may execute some critical functions without authentication, e.g., rebooting the product - CVE-2023-23906
  • A user may obtain an APN credential for the product - CVE-2023-24586
  • If the telnet connection is enabled, a remote attacker may eavesdrop on or alter the administrator's communication to the product - CVE-2023-25070
  • A remote attacker may decrypt password for the WebUI of the product - CVE-2023-25072, CVE-2023-25184

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer released the following versions which contain a fix for these vulnerabilities.

  • SkyBridge MB-A100/110 Ver. 4.2.2 and later
  • SkyBridge MB-A200 Ver. 01.00.07 and later
  • SkyBridge BASIC MB-A130 Ver. 1.4.3 and later
Apply the workaround
The developer recommends applying a workaround.

For more information, refer to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2023-22441
MASAHIRO IIDA of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2016-2183, CVE-2022-36556, CVE-2022-36557, CVE-2022-36558, CVE-2022-36559, CVE-2022-36560, CVE-2023-22361, CVE-2023-23578, CVE-2023-23901, CVE-2023-23906, CVE-2023-24586, CVE-2023-25070, CVE-2023-25072, CVE-2023-25184
Thomas J. Knudsen and Samy Younsi of NeroTeam Security Labs reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Update History

2023/09/06
Information under the section [Description] was updated.