Published:2024/11/12  Last Updated:2024/11/25

JVNVU#90676195
Multiple vulnerabilities in SoftBank Mesh Wi-Fi router RP562B

Overview

Mesh Wi-Fi router RP562B provided by SoftBank Corp. contains multiple vulnerabilities.

Products Affected

  • Mesh Wi-Fi router RP562B firmware version v1.0.2 and earlier

Description

Mesh Wi-Fi router RP562B provided by SoftBank Corp. contains multiple vulnerabilities listed below.

  • Active debug code (CWE-489)
    • CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Base Score 4.6
    • CVE-2024-29075
  • OS command injection (CWE-78)
    • CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.0
    • CVE-2024-45827
  • Exposure of sensitive system information to an unauthorized control sphere (CWE-497)
    • CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score 3.5
    • CVE-2024-47799
The attack scenarios above assume that an attacker would be authenticated and connect to the same Wi-Fi network as the affected product to exploit it. Therefore, "PR (Privileges Required)" are evaluated as Low (L).

Impact

  • An authenticated attacker may obtain or alter the settings of the device (CVE-2024-29075)
  • An authenticated attacker may execute an arbitrary OS command (CVE-2024-45827)
  • An authenticated attacker may obtain information about devices connected through the Wi-Fi (CVE-2024-47799)

Solution

Update the firmware
According to the developer, the firmware that fixes these vulnerabilities is applied automatically.

Vendor Status

Vendor Status Last Update Vendor Notes
SoftBank Corp. Vulnerable 2024/11/12

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Samy Younsi of NeroTeam Security Labs reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-29075
CVE-2024-45827
CVE-2024-47799
JVN iPedia

Update History

2024/11/25
Information under the section [Description] was updated