Published:2020/02/19  Last Updated:2020/02/19

JVN#49410695
Multiple vulnerabilities in Aterm WG2600HS

Overview

Aterm WG2600HS provided by NEC Corporation contains multiple vulnerabilities.

Products Affected

  • Aterm WG2600HS firmware Ver1.3.2 and earlier

Description

Aterm WG2600HS provided by NEC Corporation contains multiple vulnerabilities listed below.

  • Cross-site scripting (CWE-79) - CVE-2020-5533
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • OS command injection (CWE-78) - CVE-2020-5534
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.0
    CVSS v2 AV:A/AC:L/Au:S/C:C/I:C/A:C Base Score: 7.7

Impact

  • An arbitrary script may be executed on the logged in user's web browser - CVE-2020-5533
  • A user who can login to the HTTP service of the device may execute an arbitrary OS command with root privileges - CVE-2020-5534

Solution

Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
NEC Corporation Vulnerable 2020/02/19

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5533
CVE-2020-5534
JVN iPedia JVNDB-2020-000015