Published:2023/07/11  Last Updated:2023/08/10

JVNVU#91850798
Multiple vulnerabilities in ELECOM and LOGITEC wireless LAN routers

Overview

Multiple wireless LAN routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities.

Products Affected

CVE-2023-37566

  • WRC-1167GHBK3-A v1.24 and earlier
  • WRC-1167FEBK-A v1.18 and earlier
  • WRC-F1167ACF2 all versions
  • WRC-600GHBK-A all versions
  • WRC-733FEBK2-A all versions
  • WRC-1467GHBK-A all versions
  • WRC-1900GHBK-A all versions
  • LAN-W301NR all versions
CVE-2023-37567
  • WRC-1167GHBK3-A v1.24 and earlier
  • WRC-F1167ACF2 all versions
  • WRC-600GHBK-A all versions
  • WRC-733FEBK2-A all versions
  • WRC-1467GHBK-A all versions
  • WRC-1900GHBK-A all versions
  • LAN-W301NR all versions
CVE-2023-37568
  • WRC-1167GHBK-S v1.03 and earlier
  • WRC-1167GEBK-S v1.03 and earlier

Description

Multiple wireless LAN routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities listed below.

  • Command Injection on the web management page (CWE-77) - CVE-2023-37566, CVE-2023-37568
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8
    CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P Base Score: 5.2
  • Command Injection on a certain port of the web management page (CWE-77) - CVE-2023-37567
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5

Impact

  • A network-adjacent authenticated attacker may execute an arbitrary command by sending a specially crafted request to the web management page - CVE-2023-37566, CVE-2023-37568
  • A remote unauthenticated attacker may execute an arbitrary command by sending a specially crafted request to a certain port of the web management page - CVE-2023-37567

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Stop using the products
Some vulnerable products are no longer supported. For more information, refer to the security advisory from the developer and stop using the products.

Vendor Status

Vendor Status Last Update Vendor Notes
ELECOM CO.,LTD. Vulnerable 2023/08/10 ELECOM CO.,LTD. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-37566
CVE-2023-37567
CVE-2023-37568
JVN iPedia

Update History

2023/08/10
Information under the section [Title], [Overview], [Products Affected], [Description], and [Solution] was updated
2023/08/10
ELECOM CO.,LTD. update status