Published:2024/03/26 Last Updated:2024/11/26
JVNVU#95381465
Multiple vulnerabilities in ELECOM wireless LAN routers
Overview
Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities.
Products Affected
CVE-2024-25568
- WRC-X3200GST3-B v1.25 and earlier
- WRC-G01-W v1.24 and earlier
- WMC-X1800GST-B v1.41 and earlier
- WRC-X3200GST3-B v1.25 and earlier
- WRC-G01-W v1.24 and earlier
- WRC-1167GST2 v1.32 and earlier
- WRC-2533GST2 v1.30 and earlier
- WRC-X3200GST3-B v1.25 and earlier
- WRC-G01-W v1.24 and earlier
Description
Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.
- OS Command Injection (CWE-78) - CVE-2024-25568
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8 CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:P Base Score: 5.8 - OS Command Injection (CWE-78) - CVE-2024-26258
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8 CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P Base Score: 5.2 - Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) - CVE-2024-29225
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 6.5 CVSS v2 AV:A/AC:L/Au:N/C:P/I:N/A:N Base Score: 3.3
Impact
- An unauthenticated attacker may execute an arbitrary OS command by sending a specially crafted request - CVE-2024-25568
- A user with credentials may execute an arbitrary OS command by sending a specially crafted request - CVE-2024-26258
- An unauthenticated attacker may obtain the configuration file containing sensitive information by sending a specially crafted request - CVE-2024-29225
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
ELECOM CO.,LTD. | Vulnerable | 2024/11/14 | ELECOM CO.,LTD. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2024-25568 |
CVE-2024-26258 |
|
CVE-2024-29225 |
|
JVN iPedia |
|
Update History
- 2024/05/28
- ELECOM CO.,LTD. update status
- 2024/05/28
- Information under the section [Title], [Overview], [Products Affected], and [Description] was updated
- 2024/08/27
- ELECOM CO.,LTD. update status
- 2024/08/27
- Information under the section [Products Affected] was updated
- 2024/11/26
- ELECOM CO.,LTD. update status
- 2024/11/26
- Information under the section [Products Affected] was updated