JVNVU#94260088
Multiple vulnerabilities in Elecom routers

Overview

Multiple routers provided by ELECOM CO.,LTD. contain information disclosure and OS command injection vulnerabilities.

Products Affected

• WRC-1167FS-W
• WRC-1167FS-B
• WRC-300FEBK
• WRC-F300NF
• WRC-733FEBK
• WRH-300RD
• WRH-300BK
• WRH-300SV
• WRH-300WH
• WRH-H300WH
• WRH-H300BK
• WRC-1167FSA
• WRH-300BK-S
• WRH-300WH-S

Description

Multiple routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.

WRC-1167FS-W, WRC-1167FS-B, WRC-1167FSA

• Information disclosure (CWE-200) - CVE-2021-20738

  CVSS v3

  CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

  Base Score: 4.3

WRC-300FEBK, WRC-F300NF, WRC-733FEBK, WRH-300RD, WRH-300BK, WRH-300SV, WRH-300WH, WRH-H300WH, WRH-H300BK, WRH-300BK-S, WRH-300WH-S

• OS command injection (CWE-78) - CVE-2021-20739

  CVSS v3

  CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

  Base Score: 6.3

Impact

• An unauthenticated network-adjacent attacker can possibly obtain sensitive information. - CVE-2021-20738
• An unauthenticated network-adjacent attacker can execute arbitrary OS commands. - CVE-2021-20739

Solution

Stop using the products
Vulnerable products listed below are no longer supported. Stop using the products and consider switching to alternatives.
WRC-300FEBK、WRC-F300NF、WRC-733FEBK、WRH-300RD、WRH-300BK、WRH-300SV、WRH-300WH、WRH-H300WH、WRH-H300BK、WRH-300BK-S、WRH-300WH-S

Apply a workaround
For WRC-1167FS-W, WRC-1167FS-B and WRC-1167FSA, applying the following workarounds may mitigate the impacts of vulnerabilities. According to the developer, firmware updates for these products will not be released.

• Change the password of products.
• Do not access unnecessary web sites while logged into the products.
• Quit the web browser after completing the settings.
• Delete the password stored in the browser.