JVN#61593104
ARROWS Me F-11D vulnerability where arbitrary areas may be accessed
Overview
ARROWS Me F-11D contains a vulnerability where arbitrary areas on the device may be accessed.
Products Affected
- ARROWS Me F-11D
Description
ARROWS Me F-11D contains a vulnerability where arbitrary areas on the device may be accessed.
Impact
An attacker with local access may obtain or alter contents in the flash memory of the device.
Solution
Apply an Update
Apply the update according to the information provided by the provider.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.12.02 (CVSS Base Metrics)
| Measures | Severity | Description | ||
|---|---|---|---|---|
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) | A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account. |
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) | Specialized access conditions or extenuating circumstances do not exist. |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) | Authentication is not required to exploit the vulnerability. |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) | There is total information disclosure, resulting in all system files being revealed. |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) | There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised. |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) | There is a total shutdown of the affected resource. |
Base Score:7.2
Comment
This analysis was performed under the assumption that physical access to the device is necessary.
Credit
FUKAUMI Naoki of SOUM Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-7254 |
| JVN iPedia |
JVNDB-2014-000139 |