Published: May 25, 2012
>> JAPANESE

1.Overview

The LAN-W300N/R series produced by Logitec Corporation have a vulnerability where a remote attacker may gain access to the administration tool due to a flaw in access control. If exploited, there is a possibility that a remote attacker can log in the product as the administrator, view and change the configuration.

Get the fixed version at the following URL and update the firmware.
http://www.logitec.co.jp/info/2012/0516.html (Japanese)
For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2012-000051

In line with the Information Security Early Warning Partnership, the IPA received a report concerning this vulnerability through the creditee below, and the JPCERT Coordination Center (JPCERT/CC) made adjustments to clarify the matter with the product developer and made it public on May 25, 2012.

Credit:

Jin Sawada, Keisuke Okazaki, Naoto Katsumi

IT Security Center, Information-technology Promotion Agency, Japan (ISEC/IPA)

2.Impact

An attacker may gain access to the administrator tool of the LAN-W300N/R series from WAN. As a result, there is a possibility that the attacker can log in the product as the administrator, view and change the configuration.

3.Solution

To fix this vulnerability, update the firmware to the latest version.

4.CVSS Severity

(1)Evaluation Result

Severity Rating (CVSS base score)	□ Low (0.0~3.9)	□Medium (4.0~6.9)	■ High (7.0~10.0)
CVSS base score			7.5

(2) Base Score Metrics

AV:Access Vector	□ Local	□ Adjacent 　Network	■ Network
AC:Access Complexity	□ High	□ Medium	■ Low
Au:Authentication	□ Multiple	□ Single	■ None
C:Confidentiality Impact	□ None	■ Partial	□ Complete
I:Integrity Impact	□ None	■ Partial	□ Complete
A:Availability Impact	□ None	■ Partial	□ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as “Permissions, Privileges, and Access Controls (CWE-264)”.

Contact