JVNVU#94119876
Multiple vulnerabilities in ELECOM and LOGITEC routers
Overview
Multiple routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities.
Products Affected
CVE-2023-43752
- WRC-X3000GS2-W v1.05 and earlier
- WRC-X3000GS2-B v1.05 and earlier
- WRC-X3000GS2A-B v1.05 and earlier
- WRC-2533GHBK2-T all versions
- WRC-2533GHBK-I all versions
- WRC-1750GHBK2-I all versions
- WRC-1750GHBK-E all versions
- WRC-1750GHBK all versions
- WRC-1167GHBK2 all versions
- WRC-1167GHBK all versions
- WRC-F1167ACF all versions
- WRC-733GHBK all versions
- WRC-733GHBK-I all versions
- WRC-733GHBK-C all versions
- WRC-300GHBK2-I all versions
- WRC-300GHBK all versions
- WRC-733FEBK all versions
- WRC-300FEBK all versions
- WRC-F300NF all versions
- WRH-300WH-H all versions
- WRH-300BK all versions
- WRH-300WH all versions
- WRH-300RD all versions
- WRH-300SV all versions
- WRH-300BK-S all versions
- WRH-300WH-S all versions
- WRH-300BK2-S all versions
- WRH-300WH2-S all versions
- WRH-H300BK all versions
- WRH-H300WH all versions
- WRH-150BK all versions
- WRH-150WH all versions
- LAN-W300N/RS all versions
- LAN-W301NR all versions
- LAN-W300N/P all versions
- LAN-WH300N/DGP all versions
- LAN-WH300NDGPE all versions
Description
Multiple routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities listed below.
- OS Command Injection (CWE-78) - CVE-2023-43752
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8 CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P Base Score: 5.2 - Inadequate Encryption Strength (CWE-326) - CVE-2023-43757
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 6.5 CVSS v2 AV:A/AC:L/Au:N/C:P/I:N/A:N Base Score: 3.3
Impact
- A logged-in user may execute an arbitrary OS command by sending a specially crafted request - CVE-2023-43752
- An attacker who can access the product may guess the encryption key used for the wireless LAN communication and intercept the communication - CVE-2023-43757
Solution
CVE-2023-43752
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
CVE-2023-43757
Apply the workaround
The developer recommends to change the initial Wi-Fi (wireless LAN) encryption key to stronger ones instead of the default value.
Stop using the products
Some vulnerable products are no longer supported. Stop using the products and consider switching to alternative products. For more information, refer to the security advisories released on July 6, 2021 and August 10, 2023 from the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| ELECOM CO.,LTD. | Vulnerable | 2023/11/14 | ELECOM CO.,LTD. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
CVE-2023-43752
Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVE-2023-43757
Katsuhiko Sato(a.k.a. goroh_kun), Yuya Adachi and Ryo Kamino of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-43752 |
|
CVE-2023-43757 |
|
| JVN iPedia |
|
Update History
- 2023/11/14
- Information under the section [Products Affected] was updated