JVNVU#98082029
Realtek chip deadlock vulnerability (CVE-2022-34326) in Mitsubishi Electric consumer electronics products
Overview
Realtek chip deadlock vulnerability (CVE-2022-34326) exists in multiple consumer electronics products provided by Mitsubishi Electric Corporation when processing Wi-Fi connection using the access point mode.
Products Affected
The wide range of product models and versions are affected by this vulnerability.
For the details, refer to the information provided by the developer.
- Wi-Fi Interface and Air Conditioning
- Air Purifier
In addition, the following products or user environments are not affected by this vulnerability.
- Products that do not support Wi-Fi communication
- When not using a Wi-Fi communication with a product that supports Wi-Fi communication
- Using a WPS communication with a product that supports Wi-Fi communication
- When using a Wi-Fi communication normally with a product that supports Wi-Fi communication after completing device registration
Description
Realtek chip deadlock vulnerability (CWE-833, CVE-2022-34326) exists in multiple consumer electronics products provided by Mitsubishi Electric Corporation when processing Wi-Fi connection using the access point mode.
The developer states that the access point mode is used only when registering the devices and not used in other purpose such as connecting to internet or running devices. Therefore the impacts of this vulnerability are limited and products are not affected under the normal condition of use.
For more information, refer to the information provided by the developer.
Impact
If the affected product receives specially crafted data by an attacker in the adjacent network, the Wi-Fi connection of the affected product may fall into a denial-of-service (DoS) condition, and communication using the access point mode may be disabled. As a result, registering the device may become impossible.
The following method helps recovering from the denial-of-service (DoS) condition, and device registration becomes possible after the recovery.
- Manually reset the affected device
Solution
Apply workaround
According to the developer, applying the following workarounds may mitigate the impacts of this vulnerability.
- Be sure to protect the access point mode SSID and KEY information
- Apply the following workarounds when using a computer or a tablet at home
- Be sure to update an operating system, software, anti-virus software, etc. to the latest version and use the device under the securely maintained conditions
- Do not open any suspicious files or links sent by untrusted senders
Vendor Status
| Vendor | Link |
| Mitsubishi Electric Corporation | Denial-of-Service (DoS) Vulnerability due to Realtek chips Vulnerability in Wi-Fi connection process in access point mode for multiple consumer electronics products |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Mitsubishi Electric Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.