JVN#61635834
Multiple vulnerabilities in SHARP routers

Overview

SHARP routers contain multiple vulnerabilities.

Products Affected

CVE-2024-45721, CVE-2024-46873, CVE-2024-47864, CVE-2024-52321
For NTT DOCOMO, INC.

• home 5G HR02 versions S5.82.00 and earlier
• Wi-Fi STATION SH-52B versions S3.87.11 and earlier
• Wi-Fi STATION SH-54C versions S6.60.00 and earlier

• Wi-Fi STATION SH-05L versions 01.00.C0 and earlier

• PocketWifi 809SH versions 01.00.B9 and earlier

• Speed Wi-Fi NEXT W07 versions 02.00.48 and earlier

• home 5G HR02 versions S5.82.00 and earlier
• Wi-Fi STATION SH-54C versions S6.60.00 and earlier

Description

SHARP routers contain multiple vulnerabilities listed below.

• OS command injection vulnerability in the HOST name configuration screen (CWE-78)
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
  • CVE-2024-45721
• The hidden debug function is enabled (CWE-489)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
  • CVE-2024-46873
• Buffer overflow vulnerability in the hidden debug function (CWE-120)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score 5.3
  • CVE-2024-47864
• Improper authentication vulnerability in the configuration backup function (CWE-497)
  • CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 5.9
  • CVE-2024-52321
• OS command injection vulnerability in the configuration restore function (CWE-78)
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
  • CVE-2024-54082

Impact

• An arbitrary OS command may be executed with the root privilege (CVE-2024-45721, CVE-2024-46873, CVE-2024-54082)
• The Web console of the product may be down (CVE-2024-47864)
• The product's backup files containing sensitive information may be retrieved (CVE-2024-52321)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.