JVN#55217369
Rakuten WiFi Pocket vulnerable to improper authentication
Overview
Management Screen of Rakuten WiFi Pocket provided by Rakuten Mobile, Inc. contains an improper authentication vulnerability.
Products Affected
- Rakuten WiFi Pocket all versions
Description
Rakuten WiFi Pocket provided by Rakuten Mobile, Inc. is a mobile router.
Management Screen of Rakuten WiFi Pocket contains an improper authentication vulnerability (CWE-287).
Impact
An attacker who can access the product may log in to the product's Management Screen. As a result, sensitive information may be obtained and/or the settings may be changed.
Solution
Stop using the product and Switch to alternative products
The developer states that the affected product is no longer supported, and recommends to use alternative products.
For more information, refer to the information provided by the developer.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
---|---|---|---|---|
Attack Complexity(AC) | High (H) | Low (L) | ||
Privileges Required(PR) | High (H) | Low (L) | None (N) | |
User Interaction(UI) | Required (R) | None (N) | ||
Scope(S) | Unchanged (U) | Changed (C) | ||
Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
Integrity Impact(I) | None (N) | Low (L) | High (H) | |
Availability Impact(A) | None (N) | Low (L) | High (H) |
Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
---|---|---|---|
Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
Authentication(Au) | Multiple (M) | Single (S) | None (N) |
Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2023-40282 |
JVN iPedia |
JVNDB-2023-000086 |