Published:2021/01/26  Last Updated:2021/01/26

JVN#47580234
Multiple vulnerabilities in multiple ELECOM products

Overview

Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities.

Products Affected

CVE-2021-20643

  • LD-PS/U1
CVE-2021-20644
  • WRC-1467GHBK-A
CVE-2021-20645, CVE-2021-20646
  • WRC-300FEBK-A
CVE-2021-20647, CVE-2021-20648, CVE-2021-20649
  • WRC-300FEBK-S
CVE-2021-20650
  • NCC-EWF100RMWH2
CVE-2014-8361
  • WRC-300FEBK
  • WRC-F300NF
  • WRC-300FEBK-S

Description

Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.

  • Improper Access Control (CWE-284) - CVE-2021-20643
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3
    CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:N Base Score: 5.0
  • Script injection in web setup page (CWE-74) - CVE-2021-20644
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 5.2
    CVSS v2 AV:A/AC:L/Au:N/C:N/I:P/A:N Base Score: 3.3
  • Stored cross-site scripting (CWE-79) - CVE-2021-20645
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
  • Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • OS command injection (CWE-78) - CVE-2021-20648
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8
    CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P Base Score: 5.2
  • Improper server certificate verification (CWE-295) - CVE-2021-20649
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 4.8
    CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N Base Score: 4.0
  • OS command injection via UPnP (CWE-78) - CVE-2014-8361
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
    CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:P Base Score: 5.0

Impact

  • By processing a specially crafted request, administrative password of the product may be changed - CVE-2021-20643
  • By displaying a specially crafted SSID on the web setup page, arbitrary script may be executed on the user's web browser - CVE-2021-20644
  • An arbitrary script may be executed on a logged in user's web browser - CVE-2021-20645
  • If a user views a malicious page while logged in to the web setup page of the product, arbitrary request may be executed and as a result, the product's settings may be altered and/or telnet daemon may be started - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650
  • An attacker who can access the product may execute arbitrary OS commands - CVE-2021-20648
  • A man-in-the-middle attack may allow an attacker to alter the communication response and as a result, arbitrary OS commands may be executed on the product - CVE-2021-20649
  • When UPnP is enabled, an attacker who can access the product may execute arbitrary OS commands - CVE-2014-8361

Solution

Stop using the products
The developer states these vulnerable products are no longer supported, therefore stop using the products.

Also according to the developer, the following workarounds may mitigate some of the effects of these issues.
Apply a Workaround
CVE-2021-20645, CVE-2021-20646, CVE-2021-20647, CVE-2021-20648, CVE-2021-20650

  • Change web setup page's log in password.
  • Do not access other websites while logged in to the web setup page.
  • Close the web browser after the operation is finished on the web setup page.
  • Delete password of web setup page stored in web browser.
CVE-2021-20649
  • Do not execute the firmware's "Check for update files" function.
  • For detailed setting change process, refer to User's Manual for the products.
CVE-2014-8361
  • Disable UPnP.

Vendor Status

Vendor Status Last Update Vendor Notes
ELECOM CO.,LTD. Vulnerable 2021/01/26 ELECOM CO.,LTD. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2021-20643
NAGAKAWA(ISHIBASHI), Tsuyoshi of INSTITUTE of INFORMATION SECURITY Yuasa Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-20644
Ryo Sato reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-20645, CVE-2021-20646
Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-20647, CVE-2021-20648, CVE-2021-20649
Satoru Nagaoka of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-20650
Yutaka WATANABE reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Satoru Nagaoka of Cyber Defense Institute, Inc. and Daisuke Makita and Yoshiki Mori of National Institude of Information and Communications Technology reported that CVE-2014-8361 vulnerability still exists in ELECOM product to IPA. JPCERT/CC coordinated with the developer.

Other Information