Published: 2018/08/29  Last Updated: 2018/08/29

Information from Yamaha Corporation

Vulnerability ID:JVN#69967692
Title:Multiple script injection vulnerabilities in multiple Yamaha network devices
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

[Description]

By using this vulnerability, it becomes possible for a user who accessed a specific setting page of Yamaha router and firewall "simple setting page" to execute an illegal script.
Execution of an illegal script may cause infections such as malicious programs, information fraud, and guidance to other unauthorized sites.

[Affected Products and Versions]

-----------------------------
model Firmware
-----------------------------
RT57i Rev.8.00.95 and earlier
RT58i Rev.9.01.51 and earlier
NVR500 Rev.11.00.36 and earlier
RTX810 Rev.11.01.31 and earlier
FWX120 Rev.11.03.25 and earlier
-----------------------------

[Solution]

Please revise to the latest firmware.

-----------------------------
model Fixed Firmware.
-----------------------------
RT57i Rev.8.00.98
RT58i Rev.9.01.53
NVR500 Rev.11.00.38
RTX810 Rev.11.01.33
FWX120 Rev.11.03.27
-----------------------------

[Mitigation]

This vulnerability can be avoided by disabling access to the Yamaha router and Firewall "simple setting page" by one of the following settings.

- By "httpd service off", disable HTTP server function
- By "httpd host none", access to the GUI from all hosts is prohibited

[References]

We provide latest information on this issue at the following URL.
http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/JVN69967692.html