Published:2024/05/15 Last Updated:2024/05/15
JVNVU#92249385
Ruijie BCR810W/BCR860 vulnerable to OS command injection
Overview
Network router BCR810W/BCR860 provided by Ruijie Networks Co., Ltd. contains an OS command injection vulnerability.
Products Affected
- BCR810W
- BCR860
Description
Network router BCR810W/BCR860 provided by Ruijie Networks Co., Ltd. contains an OS command injection vulnerability (CVE-2023-3608, CWE-78).
Note that this vulnerability can only be exploited when the BCOS port of the product is connected to the Internet.
JPCERT/CC has confirmed attacks attempt to exploit this vulnerability.
Impact
An arbitrary OS command may be executed by an authenticated user with the administrative privilege.
Solution
Update the firmware
The vendor has released firmware BCOS 2.5.15 which fixes this vulnerability.
Apply workarounds
The vendor recommends the following workarounds.
- Set a strong administrator password.
- Disable WAN access to the products.
Vendor Status
| Vendor | Link |
| Ruijie Networks Co., Ltd. | 关于部分路由器BCOS系统存在命令执行漏洞的安全通告 (in Chinese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score:
6.8
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |