Published:2021/04/27  Last Updated:2021/04/30

JVNVU#90274525
Multiple Buffalo network devices contain hidden functionality

Overview

Multiple network devices provided by BUFFALO INC. contain hidden functionality.

Products Affected

  • BHR-4RV firmware Ver.2.55 and prior
  • FS-G54 firmware Ver.2.04 and prior
  • WBR2-B11 firmware Ver.2.32 and prior
  • WBR2-G54 firmware Ver.2.32 and prior
  • WBR2-G54-KD firmware Ver.2.32 and prior
  • WBR-B11 firmware Ver.2.23 and prior
  • WBR-G54 firmware Ver.2.23 and prior
  • WBR-G54L firmware Ver.2.20 and prior
  • WHR2-A54G54 firmware Ver.2.25 and prior
  • WHR2-G54 firmware Ver.2.23 and prior
  • WHR2-G54V firmware Ver.2.55 and prior
  • WHR3-AG54 firmware Ver.2.23 and prior
  • WHR-G54 firmware Ver.2.16 and prior
  • WHR-G54-NF firmware Ver.2.10 and prior
  • WLA2-G54 firmware Ver.2.24 and prior
  • WLA2-G54C firmware Ver.2.24 and prior
  • WLA-B11 firmware Ver.2.20 and prior
  • WLA-G54 firmware Ver.2.20 and prior
  • WLA-G54C firmware Ver.2.20 and prior
  • WLAH-A54G54 firmware Ver.2.54 and prior
  • WLAH-AM54G54 firmware Ver.2.54 and prior
  • WLAH-G54 firmware Ver.2.54 and prior
  • WLI2-TX1-AG54 firmware Ver.2.53 and prior
  • WLI2-TX1-AMG54 firmware Ver.2.53 and prior
  • WLI2-TX1-G54 firmware Ver.2.20 and prior
  • WLI3-TX1-AMG54 firmware Ver.2.53 and prior
  • WLI3-TX1-G54 firmware Ver.2.53 and prior
  • WLI-T1-B11 firmware Ver.2.20 and prior
  • WLI-TX1-G54 firmware Ver.2.20 and prior
  • WVR-G54-NF firmware Ver.2.02 and prior
  • WZR-G108 firmware Ver.2.41 and prior
  • WZR-G54 firmware Ver.2.41 and prior
  • WZR-HP-G54 firmware Ver.2.41 and prior
  • WZR-RS-G54 firmware Ver.2.55 and prior
  • WZR-RS-G54HP firmware Ver.2.55 and prior

Description

Multiple network devices provided by BUFFALO INC. contain hidden functionality (CWE-912) that allows an attacker to enable the debug option.

Impact

A network-adjacent attacker may execute arbitrary code or OS commands, change the configuration, and cause a denial of service (DoS) condition.

 

Solution

Do not use the products
According to the developer, the devices are no longer supported and it is recommended for the users to use alternative devices.
For more details, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
BUFFALO INC. Vulnerable 2021/04/27 BUFFALO INC. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20716
JVN iPedia

Update History

2021/04/30
Updated [Impact]