JVN#47580234: Multiple vulnerabilities in multiple ELECOM products

Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.

Improper Access Control (CWE-284) - CVE-2021-20643

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	Base Score: 5.3
CVSS v2	AV:N/AC:L/Au:N/C:N/I:P/A:N	Base Score: 5.0

Script injection in web setup page (CWE-74) - CVE-2021-20644

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.2
CVSS v2	AV:A/AC:L/Au:N/C:N/I:P/A:N	Base Score: 3.3

Stored cross-site scripting (CWE-79) - CVE-2021-20645

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.4
CVSS v2	AV:N/AC:M/Au:S/C:N/I:P/A:N	Base Score: 3.5

Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	Base Score: 4.3
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

OS command injection (CWE-78) - CVE-2021-20648

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 6.8
CVSS v2	AV:A/AC:L/Au:S/C:P/I:P/A:P	Base Score: 5.2

Improper server certificate verification (CWE-295) - CVE-2021-20649

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N	Base Score: 4.8
CVSS v2	AV:N/AC:H/Au:N/C:P/I:P/A:N	Base Score: 4.0

OS command injection via UPnP (CWE-78) - CVE-2014-8361

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.8
CVSS v2	AV:A/AC:L/Au:N/C:P/I:P/A:P	Base Score: 5.0

Impact

• By processing a specially crafted request, administrative password of the product may be changed - CVE-2021-20643
• By displaying a specially crafted SSID on the web setup page, arbitrary script may be executed on the user’s web browser - CVE-2021-20644
• An arbitrary script may be executed on a logged in user’s web browser - CVE-2021-20645
• If a user views a malicious page while logged in to the web setup page of the product, arbitrary request may be executed and as a result, the product’s settings may be altered and/or telnet daemon may be started - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650
• An attacker who can access the product may execute arbitrary OS commands - CVE-2021-20648
• A man-in-the-middle attack may allow an attacker to alter the communication response and as a result, arbitrary OS commands may be executed on the product - CVE-2021-20649
• When UPnP is enabled, an attacker who can access the product may execute arbitrary OS commands - CVE-2014-8361

Solution

Stop using the products
The developer states these vulnerable products are no longer supported, therefore stop using the products.

Also according to the developer, the following workarounds may mitigate some of the effects of these issues.
Apply a Workaround CVE-2021-20645, CVE-2021-20646, CVE-2021-20647, CVE-2021-20648, CVE-2021-20650

• Change web setup page’s log in password.

• Do not access other websites while logged in to the web setup page.

• Close the web browser after the operation is finished on the web setup page.

• Delete password of web setup page stored in web browser.
  CVE-2021-20649

• Do not execute the firmware’s “Check for update files” function.

• For detailed setting change process, refer to User’s Manual for the products.
  CVE-2014-8361

• Disable UPnP.

Products Affected

CVE-2021-20643

• LD-PS/U1
  CVE-2021-20644

• WRC-1467GHBK-A
  CVE-2021-20645, CVE-2021-20646

• WRC-300FEBK-A
  CVE-2021-20647, CVE-2021-20648, CVE-2021-20649

• WRC-300FEBK-S
  CVE-2021-20650

• NCC-EWF100RMWH2
  CVE-2014-8361

• WRC-300FEBK

• WRC-F300NF

• WRC-300FEBK-S