Published:2014/12/02  Last Updated:2014/12/02

JVN#61593104
ARROWS Me F-11D vulnerability where arbitrary areas may be accessed

Overview

ARROWS Me F-11D contains a vulnerability where arbitrary areas on the device may be accessed.

Products Affected

  • ARROWS Me F-11D

Description

ARROWS Me F-11D contains a vulnerability where arbitrary areas on the device may be accessed.

Impact

An attacker with local access may obtain or alter contents in the flash memory of the device.

Solution

Apply an Update
Apply the update according to the information provided by the provider.

Vendor Status

Vendor Status Last Update Vendor Notes
NTT DOCOMO, INC. Vulnerable 2014/12/02

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2014.12.02 (CVSS Base Metrics)

What is CVSS?

Measures Severity Description
Access Vector(AV) Local (L) Adjacent Network (A) Network (N) A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account.
Access Complexity(AC) High (H) Medium (M) Low (L) Specialized access conditions or extenuating circumstances do not exist.
Authentication(Au) Multiple (M) Single (S) None (N) Authentication is not required to exploit the vulnerability.
Confidentiality Impact(C) None (N) Partial (P) Complete (C) There is total information disclosure, resulting in all system files being revealed.
Integrity Impact(I) None (N) Partial (P) Complete (C) There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.
Availability Impact(A) None (N) Partial (P) Complete (C) There is a total shutdown of the affected resource.

Base Score:7.2

Comment

This analysis was performed under the assumption that physical access to the device is necessary.

Credit

FUKAUMI Naoki of SOUM Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2014-7254
JVN iPedia JVNDB-2014-000139