JVN#46615026
Multiple vulnerabilities in I-O DATA routers UD-LT1 and UD-LT1/EX
Critical

Overview

UD-LT1 and UD-LT1/EX provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities.

Products Affected

• UD-LT1 firmware Ver.2.1.8 and earlier
• UD-LT1/EX firmware Ver.2.1.8 and earlier

Description

UD-LT1 and UD-LT1/EX provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.

• Incorrect Permission Assignment for Critical Resource (CWE-732)
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Base Score 6.5
  • CVE-2024-45841
• OS Command Injection (CWE-78)
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
  • CVE-2024-47133
• Inclusion of Undocumented Features (CWE-1242)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Base Score 7.5
  • CVE-2024-52564

Impact

• If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained (CVE-2024-45841)
• A logged-in user with an administrative account may execute an arbitrary OS command (CVE-2024-47133)
• A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered (CVE-2024-52564)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

CVE-2024-45841, CVE-2024-47133
The developer states that the updates addressing these vulnerabilities are planned to be released around December 18, 2024.

CVE-2024-52564
The developer has released the updates listed below that addresses this vulnerability.

• UD-LT1 firmware Ver.2.1.9
• UD-LT1/EX firmware Ver.2.1.9