JVN#62737544: Multiple vulnerabilities in RoamWiFi R10

Overview

RoamWiFi R10 provided by RoamWiFi Technology Co., Ltd. contains multiple vulnerabilities.

Products Affected

RoamWiFi R10 versions prior to 4.8.45

Description

RoamWiFi R10 provided by RoamWiFi Technology Co., Ltd. contains multiple vulnerabilities listed below.

Active debug code (CWE-489)
- CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
- CVE-2024-31406
Insertion of sensitive information into log file (CWE-532)
- CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 6.5
- CVE-2024-32051

Impact

An attacker with access to the device may perform unauthorized operations (CVE-2024-31406)
An attacker with access to the device may obtain sensitive information (CVE-2024-32051)

Solution

Update the firmware
The update is applied automatically with Over-The-Air (OTA) function when the device is turned on. Therefore, no action is required from the user.

Vendor Status

Vendor	Link
RoamWiFi Technology Co., Ltd.	RoamWiFi

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2024-31406
	CVE-2024-32051
JVN iPedia	JVNDB-2024-000042

JVN#62737544 Multiple vulnerabilities in RoamWiFi R10