Buffalo Routers Multiple Vulnerabilities (TRA-2021-13)
critical Nessus Plugin ID 152198
Language:
Synopsis
The remote device is affected by multiple vulnerabilities.Description
Nessus was able to determine that the remote Buffalo device is affected by multiple vulnerabilities:- A path traversal vulnerability in the web interfaces of certain Buffalo router models could allow unauthenticated remote attackers to bypass authentication. (CVE-2021-20090)
- The web interfaces of certain Buffalo router models do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution. (CVE-2021-20091)
- The web interfaces of certain Buffalo router models do not properly restrict access to sensitive information from an unauthorized actor. (CVE-2021-20092)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Vendor has released fixes for certain models. Contact vendor for more information.See Also
Plugin Details
Severity: Critical
ID: 152198
File Name: buffalo_wsr_cve_2021_20090.nasl
Version: 1.5
Type: remote
Family: Misc.
Published: 8/4/2021
Updated: 1/20/2022
Risk Information
VPR
Risk Factor: High
Score: 8.4
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal Vector: E:H/RL:OF/RC:C
CVSS Score Source: CVE-2021-20090
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 9.4
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: E:H/RL:O/RC:C
Vulnerability Information
CPE: x-cpe:/a:buffalo:buffalo
Required KB Items: installed_sw/Buffalo WWW
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/26/2021
Vulnerability Publication Date: 4/26/2021
CISA Known Exploited Dates: 11/17/2021