Lucene search

Japan Vulnerability NotesJVN:96783542

HistoryJan 26, 2021 - 12:00 a.m.

JVN#96783542: Multiple vulnerabilities in multiple LOGITEC products

2021-01-2600:00:00

Japan Vulnerability Notes

jvn.jp

7.7 High

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:S/C:C/I:C/A:C

6.8 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

55.9%

JSON

Multiple products provided by LOGITEC CORPORATION contain multiple vulnerabilities listed below.

Improper r****estriction of excessive authentication attempts (CWE-307) - CVE-2021-20635

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	Base Score: 4.3
CVSS v2	AV:A/AC:L/Au:N/C:P/I:N/A:N	Base Score: 3.3

Cross-site request forgery (CWE-352) - CVE-2021-20636, CVE-2021-20641

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	Base Score: 4.3
CVSS v2	AV:N/AC:H/Au:N/C:P/I:P/A:N	Base Score: 4.0

Improper check or handling of exceptional conditions (CWE-703) - CVE-2021-20637, CVE-2021-20642

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L	Base Score: 4.3
CVSS v2	AV:N/AC:H/Au:N/C:N/I:N/A:P	Base Score: 2.6

OS command injection (CWE-78) - CVE-2021-20638

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 6.8
CVSS v2	AV:A/AC:L/Au:S/C:P/I:P/A:P	Base Score: 5.2

OS command injection (CWE-78) - CVE-2021-20639

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 6.8
CVSS v2	AV:A/AC:L/Au:S/C:P/I:P/A:P	Base Score: 5.2

Buffer overflow (CWE-119) - CVE-2021-20640

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 6.8
CVSS v2	AV:A/AC:L/Au:S/C:P/I:P/A:P	Base Score: 5.2

Impact

An attacker in the wireless range of the device may recover PIN and access the network - CVE-2021-20635
If a user who is logging into the administrative web page of the device accesses a specially crafted URL, unintended operation to the device such as changes of the device settings may be conducted - CVE-2021-20636, CVE-2021-20641
If a user who is logging into the administrative web page of the device accesses a specially crafted URL, that may lead to a denial-of-service (DoS) condition - CVE-2021-20637, CVE-2021-20642
An attacker who can access the administrative web page of the device may execute arbitrary OS command - CVE-2021-20638, CVE-2021-20639, CVE-2021-20640

Solution

Stop using the products
The developer states these vulnerable products are no longer supported, therefore stop using the products.

Products Affected

CVE-2021-20635

LAN-WH450N/GR
CVE-2021-20636, CVE-2021-20637
LAN-W300N/PR5B
CVE-2021-20638, CVE-2021-20639, CVE-2021-20640
LAN-W300N/PGRB
CVE-2021-20641, CVE-2021-20642
LAN-W300N/RS

7.7 High

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:S/C:C/I:C/A:C

6.8 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

55.9%

JSON

Related for JVN:96783542