Japan Vulnerability NotesJVN:14778242JVN#14778242: Multiple vulnerabilities in T&D and ESPEC MIC data logger products
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.2%
Multiple data logger products provided by T&D Corporation and ESPEC MIC CORP. contain multiple vulnerabilities listed below.
Client-side enforcement of server-side security (CWE-602) - CVE-2023-22654
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N | Base Score: 4.2 |
| CVSS v2 | AV:N/AC:H/Au:S/C:N/I:P/A:N | Base Score: 2.1 |
Improper authentication (CWE-287) - CVE-2023-27388
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Base Score: 9.8 |
| CVSS v2 | AV:N/AC:L/Au:N/C:P/I:P/A:P | Base Score: 7.5 |
Missing authentication for critical function (CWE-306) - CVE-2023-23545
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | Base Score: 5.3 |
| CVSS v2 | AV:N/AC:L/Au:N/C:N/I:P/A:N | Base Score: 5.0 |
Cross-site request forgery (CWE-352) - CVE-2023-27387
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Impact
- An arbitrary script may be executed on a logged-in user’s web browser - CVE-2023-22654
- An attacker who can access the product may login to the product as a registered user - CVE-2023-27388
- An attacker who can access the product may alter the product settings without authentication - CVE-2023-23545
- If a user views a malicious page while logged in, unintended operations may be performed - CVE-2023-27387
Solution
Stop using the product
The developers state that these products had been end of sale in 2014, therefore recommend users to stop using the products.
Until stop using the products, it is recommended that applying following mitigations.
- Connect the products to the trusted closed network
- Allow only trusted PCs to access the products
- Install a WAF to protect the products
Apart from the vulnerabilities, the developers released updates with improved security features for the following products. - T&D Corporation’s products
- TR-71W/72W
- ESPEC MIC CORP.'s products
- RT-12N/RS-12N
For more details, refer to the information provided by the developers.
- RT-12N/RS-12N
Products Affected
The following products are affected.
Note that, ESPEC MIC CORP.'s products are OEM products of T&D Corporation.
Products provided by T&D Corporation:
-
TR-71W/72W all firmware versions
-
RTR-5W all firmware versions
-
WDR-7 all firmware versions
-
WDR-3 all firmware versions
-
WS-2 all firmware versions
Products provided by ESPEC MIC CORP.: -
RT-12N/RS-12N all firmware versions
-
RT-22BN all firmware versions
-
TEU-12N all firmware versions
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.2%