JVNVU#93546510: Multiple vulnerabilities in home gateway HGW BL1500HM

Overview

Home gateway HGW BL1500HM provided by KDDI CORPORATION contains multiple vulnerabilities.

Products Affected

HGW BL1500HM Ver 002.001.013 and earlier

Description

Home gateway HGW BL1500HM provided by KDDI CORPORATION contains multiple vulnerabilities listed below.

Use of weak credentials (CWE-1391) - CVE-2024-21865, CVE-2024-29071

CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Base Score: 6.5
Command injection (CWE-77) - CVE-2024-28041

CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8

Impact

An attacker may connect via SSH and use a shell - CVE-2024-21865
An attacker may execute arbitrary commands - CVE-2024-28041
An attacker may change the system settings - CVE-2024-29071

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer fixed these vulnerabilities in HGW BL1500HM Ver 002.001.019.

Vendor Status

Vendor	Link
KDDI CORPORATION	Home Gateway [HGW BL1500HM] Firmware Information (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2024-21865
	CVE-2024-28041
	CVE-2024-29071
JVN iPedia

JVNVU#93546510 Multiple vulnerabilities in home gateway HGW BL1500HM