Published:2024/12/04  Last Updated:2024/12/04

JVN#46615026
Multiple vulnerabilities in I-O DATA routers UD-LT1 and UD-LT1/EX
Critical

Overview

UD-LT1 and UD-LT1/EX provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities.

Products Affected

  • UD-LT1 firmware Ver.2.1.8 and earlier
  • UD-LT1/EX firmware Ver.2.1.8 and earlier

Description

UD-LT1 and UD-LT1/EX provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.

  • Incorrect Permission Assignment for Critical Resource (CWE-732)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Base Score 6.5
    • CVE-2024-45841
  • OS Command Injection (CWE-78)
    • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
    • CVE-2024-47133
  • Inclusion of Undocumented Features (CWE-1242)
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Base Score 7.5
    • CVE-2024-52564
The developer states that attacks exploiting these vulnerabilities have been observed.

Impact

  • If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained (CVE-2024-45841)
  • A logged-in user with an administrative account may execute an arbitrary OS command (CVE-2024-47133)
  • A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered (CVE-2024-52564)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

CVE-2024-45841, CVE-2024-47133
The developer states that the updates addressing these vulnerabilities are planned to be released around December 18, 2024.

CVE-2024-52564
The developer has released the updates listed below that addresses this vulnerability.

  • UD-LT1 firmware Ver.2.1.9
  • UD-LT1/EX firmware Ver.2.1.9
Apply the workaround
The developer states that the settings of the affected products should be checked and changed.
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
I-O DATA DEVICE, INC. Vulnerable 2024/12/04 I-O DATA DEVICE, INC. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2024-45841, CVE-2024-47133
Takeshi Kuramori, Kaori Takashima, and Kohei Masumi of National Institute of Information and Communications Technology, Cybersecurity Research Institute reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2024-52564
Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-45841
CVE-2024-47133
CVE-2024-52564
JVN iPedia JVNDB-2024-000125