JVN#29739718: Multiple vulnerabilities in Aterm WF1200CR, Aterm WG1200CR, Aterm WG2600HS, and Aterm WX3000HP

Overview

Aterm WF1200CR, Aterm WG1200CR, Aterm WG2600HS, and Aterm WX3000HP provided by NEC Corporation contain multiple vulnerabilities.

Products Affected

Aterm WF1200CR firmware Ver1.3.2 and earlier
Aterm WG1200CR firmware Ver1.3.3 and earlier
Aterm WG2600HS firmware Ver1.5.1 and earlier
Aterm WX3000HP firmware Ver1.1.2 and earlier

Description

Aterm WF1200CR, Aterm WG1200CR, Aterm WG2600HS, and Aterm WX3000HP provided by NEC Corporation contain multiple vulnerabilities listed below.

Aterm WF1200CR, Aterm WG1200CR, and Aterm WG2600HS

OS Command Injection (CWE-78) - CVE-2021-20708

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8

CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P Base Score: 5.2
Improper Validation of Integrity Check Value (CWE-354) - CVE-2021-20709

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8

CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P Base Score: 5.2

Aterm WG2600HS

Cross-site Scripting (CWE-79) - CVE-2021-20710

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
OS Command Injection (CWE-78) - CVE-2021-20711

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/ Base Score: 8.8

CVSS v2 AV:A/AC:L/Au:N/C:C/I:C/A:C Base Score: 8.3

Aterm WG2600HS, and WX3000HP

Improper Access Control (CWE-284) - CVE-2021-20712

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3

CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0

Impact

If an attacker who can access the device sends a specially crafted request to a specific URL, an arbitrary command may be executed - CVE-2021-20708
If a user sends a specially crafted request to a specific URL while logging into the management screen of the device, an arbitrary command may be executed - CVE-2021-20709
An arbitrary script may be executed on the user's web browser - CVE-2021-20710
An attacker who can access the management screen of the device may execute an arbitrary command - CVE-2021-20711
Because of the defect in the IPv6 firewall function, devices connected to the LAN side may be accessed from the WAN side etc - CVE-2021-20712

Solution

Update the firmware
Apply the appropriate firmware update according to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
NEC Corporation	Vulnerable	2021/04/09

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2021-20708 and CVE-2021-20709
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-20710 and CVE-2021-20711
Satoru Nagaoka of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-20712
Yoshimitsu Kato reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2021-20708
	CVE-2021-20709
	CVE-2021-20710
	CVE-2021-20711
	CVE-2021-20712
JVN iPedia	JVNDB-2021-000030

CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 6.8
CVSS v2	AV:A/AC:L/Au:S/C:P/I:P/A:P	Base Score: 5.2

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/	Base Score: 8.8
CVSS v2	AV:A/AC:L/Au:N/C:C/I:C/A:C	Base Score: 8.3

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	Base Score: 5.3
CVSS v2	AV:N/AC:L/Au:N/C:P/I:N/A:N	Base Score: 5.0

JVN#29739718 Multiple vulnerabilities in Aterm WF1200CR, Aterm WG1200CR, Aterm WG2600HS, and Aterm WX3000HP