Sign-up

ID

VAR-201502-0455


CVE

CVE-2014-7270


TITLE

Multiple ASUS wireless LAN routers vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2015-000012

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earlier, and RT-N56U routers with firmware 3.0.0.4.376.3715 and earlier allows remote attackers to hijack the authentication of arbitrary users. Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain a cross-site request forgery vulnerability. Masashi Sakai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, unintended operations may be conducted. In addition, when this vulnerability is exploited along with the vulnerability stated in JVN#77792759, an arbitrary OS command may be executed. A cross-site request forgery vulnerability exists in multiple ASUS RT routers that an attacker could use to perform certain unauthorized operations and access to affected devices. Other attacks are also possible

Trust: 2.52

sources: NVD: CVE-2014-7270 // JVNDB: JVNDB-2015-000012 // CNVD: CNVD-2015-00881 // BID: 72392 // VULHUB: VHN-75215

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-00881

AFFECTED PRODUCTS

vendor:asusmodel:rt-n56uscope:lteversion:3.0.0.4.376.3715

Trust: 1.0

vendor:asusmodel:rt-ac68uscope:eqversion: -

Trust: 1.0

vendor:asusmodel:rt-ac68uscope:lteversion:3.0.0.4.376.3715

Trust: 1.0

vendor:asusmodel:rt-ac56sscope:lteversion:3.0.0.4.376.3715

Trust: 1.0

vendor:asusmodel:rt-ac56sscope:eqversion: -

Trust: 1.0

vendor:asusmodel:rt-n66uscope:lteversion:3.0.0.4.376.3715

Trust: 1.0

vendor:asusmodel:rt-ac87uscope:eqversion: -

Trust: 1.0

vendor:asusmodel:rt-n56uscope:eqversion: -

Trust: 1.0

vendor:asusmodel:rt-n66uscope:eqversion: -

Trust: 1.0

vendor:asusmodel:rt-ac87uscope:lteversion:3.0.0.4.378.3754

Trust: 1.0

vendor:asusmodel:rt-n66uscope:eqversion:3.0.0.4.376.3715

Trust: 0.9

vendor:asusmodel:rt-n56uscope:eqversion:3.0.0.4.376.3715

Trust: 0.9

vendor:asusmodel:rt-ac87uscope:eqversion:3.0.0.4.378.3754

Trust: 0.9

vendor:asusmodel:rt-ac68uscope:eqversion:3.0.0.4.376.3715

Trust: 0.9

vendor:asusmodel:rt-ac56sscope:eqversion:3.0.0.4.376.3715

Trust: 0.9

vendor:asusmodel:rt-ac56sscope:eqversion:firmware prior to 3.0.0.4.378.6065

Trust: 0.8

vendor:asusmodel:rt-ac68uscope:eqversion:firmware prior to 3.0.0.4.378.6152

Trust: 0.8

vendor:asusmodel:rt-ac87uscope:eqversion:firmware prior to 3.0.0.4.378.6065

Trust: 0.8

vendor:asusmodel:rt-n56uscope:eqversion:firmware prior to 3.0.0.4.378.6065

Trust: 0.8

vendor:asusmodel:rt-n66uscope:eqversion:firmware prior to 3.0.0.4.378.6065

Trust: 0.8

vendor:asusmodel:japan rt-ac87u routers withscope:lteversion:<=3.0.0.4.378.3754

Trust: 0.6

vendor:asusmodel:rt-ac68u routers withscope:lteversion:<=3.0.0.4.376.3715

Trust: 0.6

vendor:asusmodel:rt-ac56s routers withscope:lteversion:<=3.0.0.4.376.3715

Trust: 0.6

vendor:asusmodel:rt-n66u routers withscope:lteversion:<=3.0.0.4.376.3715

Trust: 0.6

vendor:asusmodel:rt-n56u routers withscope:lteversion:<=3.0.0.4.376.3715

Trust: 0.6

sources: CNVD: CNVD-2015-00881 // BID: 72392 // JVNDB: JVNDB-2015-000012 // CNNVD: CNNVD-201502-003 // NVD: CVE-2014-7270

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-7270
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2015-000012
value: LOW

Trust: 0.8

CNVD: CNVD-2015-00881
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201502-003
value: MEDIUM

Trust: 0.6

VULHUB: VHN-75215
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-7270
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2015-000012
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2015-00881
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-75215
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2015-00881 // VULHUB: VHN-75215 // JVNDB: JVNDB-2015-000012 // CNNVD: CNNVD-201502-003 // NVD: CVE-2014-7270

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-75215 // JVNDB: JVNDB-2015-000012 // NVD: CVE-2014-7270

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201502-003

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201502-003

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-000012

PATCH
title:Firmware for wireless LAN routers that addressed cross-site request forgery and OS command injection vulnerabilities are availableurl:http://www.asus.com/jp/News/PNzPd7vkXtrKWXHR
Trust: 0.8
title:Patch for multiple ASUS RT router cross-site request forgery vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/54910
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-00881 // 
            
            
            
            JVNDB: JVNDB-2015-000012

EXTERNAL IDS
db:NVDid:CVE-2014-7270
Trust: 3.4
db:JVNid:JVN32631078
Trust: 2.8
db:JVNDBid:JVNDB-2015-000012
Trust: 2.5
db:BIDid:72392
Trust: 1.0
db:CNNVDid:CNNVD-201502-003
Trust: 0.7
db:CNVDid:CNVD-2015-00881
Trust: 0.6
db:VULHUBid:VHN-75215
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-00881 // 
            
            
            
            VULHUB: VHN-75215 // 
            
            
            
            BID: 72392 // 
            
            
            
            JVNDB: JVNDB-2015-000012 // 
            
            
            
            CNNVD: CNNVD-201502-003 // 
            
            
            
            NVD: CVE-2014-7270

REFERENCES
url:http://jvn.jp/en/jp/jvn32631078/index.html
Trust: 2.8
url:http://www.asus.com/jp/news/pnzpd7vkxtrkwxhr
Trust: 1.7
url:http://jvndb.jvn.jp/jvndb/jvndb-2015-000012
Trust: 1.7
url://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7270
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7270
Trust: 0.8
url:http://www.securityfocus.com/bid/72392
Trust: 0.6
url:http://www.asus.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2015-00881 // 
            
            
            
            VULHUB: VHN-75215 // 
            
            
            
            BID: 72392 // 
            
            
            
            JVNDB: JVNDB-2015-000012 // 
            
            
            
            CNNVD: CNNVD-201502-003 // 
            
            
            
            NVD: CVE-2014-7270

CREDITS
Masashi Sakai
Trust: 0.3
sources:
            
            
            BID: 72392

SOURCES
db:CNVDid:CNVD-2015-00881
db:VULHUBid:VHN-75215
db:BIDid:72392
db:JVNDBid:JVNDB-2015-000012
db:CNNVDid:CNNVD-201502-003
db:NVDid:CVE-2014-7270

LAST UPDATE DATE
2024-11-23T22:34:58.852000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-00881date:2015-02-04T00:00:00
db:VULHUBid:VHN-75215date:2015-02-11T00:00:00
db:BIDid:72392date:2015-01-28T00:00:00
db:JVNDBid:JVNDB-2015-000012date:2015-06-17T00:00:00
db:CNNVDid:CNNVD-201502-003date:2015-02-03T00:00:00
db:NVDid:CVE-2014-7270date:2024-11-21T02:16:39.070

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-00881date:2015-02-03T00:00:00
db:VULHUBid:VHN-75215date:2015-02-01T00:00:00
db:BIDid:72392date:2015-01-28T00:00:00
db:JVNDBid:JVNDB-2015-000012date:2015-01-27T00:00:00
db:CNNVDid:CNNVD-201502-003date:2015-02-03T00:00:00
db:NVDid:CVE-2014-7270date:2015-02-01T15:59:03.323