Published:2017/07/19  Last Updated:2017/07/19

JVN#77412145
SONY Portable Wireless Server WG-C10 fails to restrict access permissions

Overview

Portable Wireless Server WG-C10 provided by Sony Corporation fails to restrict access permissions.

Products Affected

  • WG-C10 v3.0.79 and earlier

Description

Portable Wireless Server WG-C10 provided by Sony Corporation fails to restrict access permissions (CWE-284).

Impact

An authenticated attacker may obtain or alter information stored in the external storage connected to product.

Solution

Apply a Workaround
The following workarounds may mitigate the affects of this vulnerability.

  • Avoid using public wireless LAN service
For more information, please refer to the developer's website.

Vendor Status

Vendor Status Last Update Vendor Notes
Sony Corporation Vulnerable 2017/07/19 Sony Corporation website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score: 7.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score: 7.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-2277
JVN iPedia JVNDB-2017-000176