Japan Vulnerability NotesJVN:46892984JVN#46892984: Multiple vulnerabilities in Rakuten Casa
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.5%
Rakuten Casa provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below.
Use of Hard-coded Credentials (CWE-798) - CVE-2022-29525
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | Base Score: 5.9 |
| CVSS v2 | AV:N/AC:M/Au:N/C:C/I:N/A:N | Base Score: 7.1 |
Improper Access Control (CWE-284) - CVE-2022-28704
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | Base Score: 7.5 |
| CVSS v2 | V:N/AC:L/Au:N/C:C/I:N/A:N | Base Score: 7.8 |
Improper Access Control (CWE-284) - CVE-2022-26834
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | Base Score: 7.5 |
| CVSS v2 | AV:N/AC:L/Au:N/C:C/I:N/A:N | Base Score: 7.8 |
Impact
- An attacker who can obtain information about the product housing may log in with the root privileges and perform arbitrary operations - CVE-2022-29525
- If the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings, a remote attacker may log in with the root privileges and perform arbitrary operations - CVE-2022-28704
- The information stored in the product may be obtained as the product is set to accept HTTP connections from the WAN side by default - CVE-2022-26834
Solution
Update the software
According to the developer, the fixed software for these vulnerabilities has been released in August 2021, and in the case where the product housing is properly set in accordance with Terms of Installation, the update is applied automatically.
Products Affected
- Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.5%