JVN#38248512
Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2
Overview
Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities.
Products Affected
- Aterm WF800HP firmware all versions
- Aterm WG2600HP firmware Ver1.0.13 and earlier
- Aterm WG2600HP2 firmware Ver1.0.3 and earlier
Description
Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities listed below.
Aterm WF800HP:
- Cross-site Scripting (CWE-79) - CVE-2021-20620
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
- Improper Access Control (CWE-284) - CVE-2017-12575
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 7.5 CVSS v2 AV:N/AC:M/Au:N/C:P/I:N/A:N Base Score: 4.3 - Cross-Site Request Forgery (CWE-352) - CVE-2021-20621
-
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - Cross-site Scripting (CWE-79) - CVE-2021-20622
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Impact
- An arbitrary script may be executed on the user's web browser - CVE-2021-20620
- A remote attacker may obtain and/or alter the settings stored in the device - CVE-2017-12575
- If a user accesses a specially crafted page while logged in, unintended operations may be performed - CVE-2021-20621
- An arbitrary script may be executed on the logged in user's web browser - CVE-2021-20622
Solution
Apply workaround
For the users of Aterm WF800HP:
Applying the following workaround may mitigate the impacts of the vulnerability.
- When accessing a website, use a URL obtained from a trusted source and register it to the bookmark. For subsequent accesses, use the URL registered in the bookmark.
For the users of Aterm WG2600HP and Aterm WG2600HP2:
Update the firmware to the latest version according to the information provided by the developer.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
CVE-2021-20620
Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20621, CVE-2021-20622
Noriaki Iwasaki of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2017-12575 |
CVE-2021-20620 |
|
CVE-2021-20621 |
|
CVE-2021-20622 |
|
JVN iPedia |
|
Update History
- 2021/02/02
- Information under the section "Products Affected" was updated.