JVNVU#96079387
ASUSTeK COMPUTER RT-AC87U vulnerable to improper access control
Overview
RT-AC87U provided by ASUSTeK COMPUTER INC. contains an improper access control vulnerability.
Products Affected
- RT-AC87U all versions
Description
RT-AC87U provided by ASUSTeK COMPUTER INC. contains an improper access control vulnerability (CWE-284).
Impact
An attacker may read or write files that are not intended to be accessed.
Solution
Stop using the products and switch to alternative products
The developer states that the support for the affected product ended in May 2021, and the firmware updates will not be provided.
The developer recommends users to use alternative unaffected products.
Apply the Workarounds
The developer recommends to stop the tftpd while using the affected device.
You can enable SSH from the web UI, connect to the device via SSH and do "killall tftpd".
For more information, please contact the developer.
Vendor Status
| Vendor | Link |
| ASUSTeK COMPUTER INC. | Official Support |
| End-of-life product list |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Comment
This analysis assumes that a remote attacker connects to a target device via tftp.
Credit
Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-47678 |
| JVN iPedia |
|