JVN#15201064
Multiple vulnerabilities in CG-WGR1200

Overview

CG-WGR1200 provided by Corega Inc contains multiple vulnerabilities.

Products Affected

• CG-WGR1200 firmware 2.20 and earlier

Description

CG-WGR1200 provided by Corega Inc is a wireless LAN router. CG-WGR1200 contains multiple vulnerabilities listed below.

• Buffer Overflow (CWE-119) - CVE-2017-10852

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.8
  CVSS v2	AV:A/AC:L/Au:N/C:P/I:P/A:P	Base Score: 5.8

• Buffer Overflow (CWE-78) - CVE-2017-10853

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.8
  CVSS v2	AV:A/AC:L/Au:N/C:P/I:P/A:P	Base Score: 5.8

• Authentication bypass (CWE-306) - CVE-2017-10854

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.8
  CVSS v2	AV:A/AC:L/Au:N/C:P/I:P/A:P	Base Score: 5.8

Impact

• A user with access to the affected device may execute arbitrary code － CVE-2017-10852
• A user with access to the affected device may execute an arbitrary command － CVE-2017-10853
• A user with access to the affected device may change the login password. As a result, the user may access the management screen of the device and perform an arbitrary operation such as altering the device's settings － CVE-2017-10854

Solution

Do not use CG-WGR1200
Stop using CG-WGR1200. According to the developer, there is no plan to provide fix for these vulnerabilities since CG-WGR1200 is no longer supported.

Apply a Workaround
CG-WGR1200 is no longer supported and there is no plan of the fixes for these vulnerabilities being provided. However if you continue to use the device, apply following workarounds to mitigate the impacts of these vulnerabilities.

• Disable remote connection function to prevent an attacker's remote access to the device
• Prevent unauthorized access from inside the LAN to the device.