Published:2024/05/15  Last Updated:2024/05/15

JVNVU#92249385
Ruijie BCR810W/BCR860 vulnerable to OS command injection

Overview

Network router BCR810W/BCR860 provided by Ruijie Networks Co., Ltd. contains an OS command injection vulnerability.

Products Affected

  • BCR810W
  • BCR860

Description

Network router BCR810W/BCR860 provided by Ruijie Networks Co., Ltd. contains an OS command injection vulnerability (CVE-2023-3608, CWE-78).
Note that this vulnerability can only be exploited when the BCOS port of the product is connected to the Internet.

JPCERT/CC has confirmed attacks attempt to exploit this vulnerability.

Impact

An arbitrary OS command may be executed by an authenticated user with the administrative privilege.

Solution

Update the firmware
The vendor has released firmware BCOS 2.5.15 which fixes this vulnerability.


Apply workarounds
The vendor recommends the following workarounds.

  • Set a strong administrator password.
  • Disable WAN access to the products.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score: 6.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia