Published:2023/08/23  Last Updated:2023/08/23

JVN#55217369
Rakuten WiFi Pocket vulnerable to improper authentication

Overview

Management Screen of Rakuten WiFi Pocket provided by Rakuten Mobile, Inc. contains an improper authentication vulnerability.

Products Affected

  • Rakuten WiFi Pocket all versions
Note that Rakuten WiFi Pocket 2B and Rakuten WiFi Pocket 2C are not affected by this vulnerability.

Description

Rakuten WiFi Pocket provided by Rakuten Mobile, Inc. is a mobile router.
Management Screen of Rakuten WiFi Pocket contains an improper authentication vulnerability (CWE-287).

Impact

An attacker who can access the product may log in to the product's Management Screen. As a result, sensitive information may be obtained and/or the settings may be changed.

Solution

Stop using the product and Switch to alternative products
The developer states that the affected product is no longer supported, and recommends to use alternative products.
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Rakuten Mobile, Inc. Vulnerable 2023/08/23

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 3.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:A/AC:M/Au:N/C:P/I:N/A:N
Base Score: 2.9
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-40282
JVN iPedia JVNDB-2023-000086