Published:2024/02/20  Last Updated:2024/11/26

JVN#44166658
Multiple vulnerabilities in ELECOM wireless LAN routers and wireless LAN repeater

Overview

Multiple wireless LAN routers and wireless LAN repeater provided by ELECOM CO.,LTD. contain multiple vulnerabilities.

Products Affected

CVE-2024-21798

  • WRC-1167GS2-B v1.67 and earlier
  • WRC-1167GS2H-B v1.67 and earlier
  • WRC-1167GST2 v1.32 and earlier
  • WRC-2533GS2-B v1.62 and earlier
  • WRC-2533GS2-W v1.62 and earlier
  • WRC-2533GS2V-B v1.62 and earlier
  • WRC-2533GST2 v1.30 and earlier
  • WRC-X3200GST3-B v1.25 and earlier
  • WRC-G01-W v1.24 and earlier
  • WMC-X1800GST-B v1.41 and earlier
CVE-2024-23910
  • WRC-1167GS2-B v1.67 and earlier
  • WRC-1167GS2H-B v1.67 and earlier
  • WRC-1167GST2 v1.32 and earlier
  • WRC-2533GS2-B v1.62 and earlier
  • WRC-2533GS2-W v1.62 and earlier
  • WRC-2533GS2V-B v1.62 and earlier
  • WRC-2533GST2 v1.30 and earlier
  • WRC-X3200GST3-B v1.25 and earlier
  • WRC-G01-W v1.24 and earlier
  • WMC-X1800GST-B v1.41 and earlier
  • WSC-X1800GS-B v1.41 and earlier
WMC-X1800GST-B and WSC-X1800GS-B are also included in e-Mesh Starter Kit "WMC-2LX-B" provided by ELECOM CO.,LTD.

Description

Multiple wireless LAN routers and wireless LAN repeater provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.

  • Cross-site Scripting (CWE-79) - CVE-2024-21798
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score: 4.8
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
  • Cross-Site Request Forgery (CWE-352) - CVE-2024-23910
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Impact

  • Assume that a malicious administrative user configures the affected product with specially crafted content. When another administrative user logs in and operates the product, an arbitrary script may be executed on the web browser - CVE-2024-21798
  • If an administrative user logs in to the affected product and views a malicious page, it may trick the user to perform unintended operations to the affected product - CVE-2024-23910

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
ELECOM CO.,LTD. Vulnerable 2024/11/14 ELECOM CO.,LTD. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2024-21798
Yamaguchi Kakeru of Fujitsu Limited reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2024-23910
Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-21798
CVE-2024-23910
JVN iPedia JVNDB-2024-000020

Update History

2024/03/26
ELECOM CO.,LTD. update status
2024/03/26
Information under the section [Products Affected] was updated
2024/05/28
ELECOM CO.,LTD. update status
2024/05/28
Information under the section [Title], [Overview], [Products Affected], and [Description] was updated
2024/08/27
ELECOM CO.,LTD. update status
2024/08/27
Information under the section [Products Affected] was updated
2024/11/26
ELECOM CO.,LTD. update status
2024/11/26
Information under the section [Products Affected] was updated