Japan Vulnerability NotesJVN:41017328JVN#41017328: HOME SPOT CUBE2 vulnerable to OS command injection
8.3 High
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
23.0%
HOME SPOT CUBE2 provided by KDDI CORPORATION contains an OS command injection vulnerability (CWE-78) due to improper processing of data received from DHCP server.
Impact
An arbitrary OS command may be executed on the product if a malicious DHCP server is placed on the WAN side of the product.
Solution
Apply the workaround
Applying following workaround may mitigate the impact of this vulnerability.
- Connect the WAN port of the product to a trusted ISP line
The developer states that an attack exploiting this vulnerability is not realistic if the WAN port of the product is connected to a trusted ISP line.
Products Affected
- HOME SPOT CUBE2 V102 and earlier
Related
8.3 High
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
23.0%