Vulnerabilities Found in the TR-7W, RTR-5W, WDR-3, and WS-2
Vulnerabilities have been found in some discontinued products.
Please check the details of the vulnerabilities and either stop using the affected products or review your operating environment.
Affected Products
- TR-71W/72W All Firmware Versions
- RTR-5W All Firmware Versions
- WDR-3 All Firmware Versions
- WS-2 All Firmware Versions
Vulnerability Report Provided by JPCERT
- Client-Side Enforcement of Server-Side Security (CVE-602) [CVE-2023-22654]
- Improper Authentication (CWE-287) [CVE-2023-27388]
- Lack of Authentication for Critical Functionality (CWE-306) [CVE-2023-23545]
- Cross-Site Request Forgery (CWE-352) [CVE-2023-27387]
Descriptions of Vulnerabilities
Possible impacts of each vulnerability are as follows.
- [CVE-2023-22654] Arbitrary scripts can be executed via a web browser while logged into the target product.
- [CVE-2023-27388] This vulnerability allows an attacker with access to the target product to log in as an authorized user to the target product.
- [CVE-2023-23545] This vulnerability allows an attacker with access to the target product to tamper with the settings of the target product without authentication.
- [CVE-2023-27387] This vulnerability allows a user who is logged in to the target product to perform unintended operations on the target device when accessing a doctored page.
Response to Vulnerabilities
The manufacture and sale of the above products were discontinued by 2014.
For some of the affected products, there are updates with improved security features but these updates do not address the above vulnerabilities. As the only permanent measure to protect from these vulnerabilities, we strongly suggest that you stop using the affected products.
While still using the affected products, the following measures are recommended.
How to Mitigate the Impact of Found Vulnerabilities
- Configure the network in which the target product is connected as a reliable closed network to ensure secure access.
- Fix accessible devices by using IP address restrictions, etc. at the upper levels of the network of the target product.
- Install a Web Application Firewall (WAF) above the network of the target product to filter attacks.
Products with Updates for Improved Security
- TR-71W/72W
Note that even using this updated version will not guard against the above mentioned vulnerabilities.