Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in Multiple I-O DATA Wireless LAN Routers

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in Multiple I-O DATA Wireless LAN Routers

March 18, 2008
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Buheita Fujiwara) has issued the Security Alert for Vulnerability in Multiple I-O DATA Wireless LAN Routers on March 18, 2008.
The authentication feature of multiple I-O DATA wireless LAN routers is not effective by default and this vulnerability allows an attacker to log into the web administration interface without authenticaiton and execute unauthorized operations.
When exploited, an attacker could change the administrator password and the configuration settings.
To fix the problem, update the firmware to the latest version or change the configuration setting.

1.Overview

The WN-APG/R Series and the WN-WAPG/R Series from I-O DATA provide the web administration interface to configure the router settings. The authentication feature of the WN-APG/R Series and the WN-WAPG/R Series is not effective by default and that makes the web administration interface vulnerable to unauthorized access. A remote attacker could obtain configuration information or execute unauthorized operations.

For information on affected products, please refer to:
http://www.iodata.jp/news/oshirase.htm (in Japanese)

For affected systems and the latest information on the vulnerability, please refer to:
http://jvndb.jvn.jp/contents/en/2008/JVNDB-2008-000017.html

The following creditee reported this vulnerability to IPA on November 24, 2007. JPCERT Coordination Center (JPCERT/CC) coordinated with the product vendors and published the vulnerability on March 18, 2008, under Information Security Early Warning Partnership.
Credit: Hirotaka Katagiri

2.Impact

The authentication feature of multiple I-O DATA wireless LAN routers is not effective by default, which allows a remote attacker to obtain configuration information or execute unquthorized operations on the web administraiton interface.

Security Alert for Vulnerability in Multiple I-O DATA Wireless LAN Routers

3.Solution

To fix the problem, update the firmware to the latest version or change the configuration setting. Check out the following vendor site and take appropriate action for the solution varies depending on the affected product.
http://www.iodata.jp/news/oshirase.htm (in Japanese)

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
□ Medium
(4.0~6.9)
High
(7.0~10.0)
CVSS base score     7.5

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High □ Medium Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: