JVNVU#96824262
Multiple vulnerabilities in Buffalo network devices

Overview

Multiple network devices provided by BUFFALO INC. contain multiple vulnerabilities.

Products Affected

CVE-2023-26588、CVE-2023-24544

• BS-GSL2024 firmware Ver. 1.10-0.03 and earlier
• BS-GSL2016P firmware Ver. 1.10-0.03 and earlier
• BS-GSL2016 firmware Ver. 1.10-0.03 and earlier
• BS-GS2008 firmware Ver. 1.0.10.01 and earlier
• BS-GS2016 firmware Ver. 1.0.10.01 and earlier
• BS-GS2024 firmware Ver. 1.0.10.01 and earlier
• BS-GS2048 firmware Ver. 1.0.10.01 and earlier
• BS-GS2008P firmware Ver. 1.0.10.01 and earlier
• BS-GS2016P firmware Ver. 1.0.10.01 and earlier
• BS-GS2024P firmware Ver. 1.0.10.01 and earlier

• BS-GS2008 firmware Ver. 1.0.10.01 and earlier
• BS-GS2016 firmware Ver. 1.0.10.01 and earlier
• BS-GS2024 firmware Ver. 1.0.10.01 and earlier
• BS-GS2048 firmware Ver. 1.0.10.01 and earlier
• BS-GS2008P firmware Ver. 1.0.10.01 and earlier
• BS-GS2016P firmware Ver. 1.0.10.01 and earlier
• BS-GS2024P firmware Ver. 1.0.10.01 and earlier

Description

Multiple network devices provided by BUFFALO INC. contain multiple vulnerabilities listed below.

• Use of hard-coded credentials (CWE-798) - CVE-2023-26588

  CVSS v3

  CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

  Base Score: 2.4

• Improper access control (CWE-284) - CVE-2023-24544

  CVSS v3

  CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

  Base Score: 6.5

• Stored cross-site scripting (CWE-79) - CVE-2023-24464

  CVSS v3

  CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

  Base Score: 4.0

Impact

• An attacker may access the debug function of the product - CVE-2023-26588
• An attacker may obtain specific files of the product and as a result, the product settings may be altered - CVE-2023-24544
• An attacker with access to the web management console of the product may execute arbitrary JavaScript on a legitimate user's web browser - CVE-2023-24464

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.