NVD Vulnerability Detail

CVE-2017-11420

Summary	Stack-based buffer overflow in ASUS_Discovery.c in networkmap in Asuswrt-Merlin firmware for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-AC66U_B1, RT-AC58U, RT-AC56U, RT-AC55U, RT-AC52U, RT-AC51U, RT-N18U, RT-N66U, RT-N56U, RT-AC3200, RT-AC3100, RT_AC1200GU, RT_AC1200G, RT-AC1200, RT-AC53, RT-N12HP, RT-N12HP_B1, RT-N12D1, RT-N12+, RT_N12+_PRO, RT-N16, and RT-N300 devices allows remote attackers to execute arbitrary code via long device information that is mishandled during a strcat to a device list.
Publication Date	July 18, 2017, 2:29 p.m.
Registration Date	Jan. 26, 2021, 1:12 p.m.
Last Update	Nov. 21, 2024, 12:07 p.m.

CVSS3.0 : CRITICAL
スコア	9.8
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

CVSS2.0 : HIGH
Score	10.0
Vector	AV:N/AC:L/Au:N/C:C/I:C/A:C
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac5300_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac5300:-:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt_ac1900p_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt_ac1900p_:-:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac68u_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac68u:-:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac68p_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac68p:-:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac88u_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac88u:-:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac66u_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac66u:-:::::::*

Configuration7		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac66u_b1_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac66u_b1:-:::::::*

Configuration8		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac58u_firmware::::::::			3.0.0.4.380.7485
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac58u:-:::::::*

Configuration9		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac56u_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac56u:-:::::::*

Configuration10		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac55u_firmware::::::::			3.0.0.4.380.7378
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac55u:-:::::::*

Configuration11		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac52u_firmware::::::::			3.0.0.4.380.4180
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac52u:-:::::::*

Configuration12		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac51u_firmware::::::::			3.0.0.4.380.7378
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac51u:-:::::::*

Configuration13		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-n18u_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-n18u:-:::::::*

Configuration14		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-n66u_firmware::::::::			3.0.0.4.380.7378
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-n66u:-:::::::*

Configuration15		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-n56u_firmware::::::::			3.0.0.4.378.7177
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-n56u:-:::::::*

Configuration16		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac3200_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac3200:-:::::::*

Configuration17		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac3100_firmware::::::::			3.0.0.4.380.7743
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac3100:-:::::::*

Configuration18		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt_ac1200gu_firmware::::::::			3.0.0.4.380.5577
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt_ac1200gu:-:::::::*

Configuration19		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt_ac1200g_firmware::::::::			3.0.0.4.380.3167
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt_ac1200g:-:::::::*

Configuration20		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac1200_firmware::::::::			3.0.0.4.380.9880
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac1200:-:::::::*

Configuration21		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-ac53_firmware::::::::			3.0.0.4.380.9883
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-ac53:-:::::::*

Configuration22		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-n12hp_firmware::::::::			3.0.0.4.380.2943
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-n12hp:-:::::::*

Configuration23		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-n12hp_b1_firmware::::::::			3.0.0.4.380.3479
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-n12hp_b1:-:::::::*

Configuration24		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-n12d1_firmware::::::::			3.0.0.4.380.7378
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-n12d1:-:::::::*

Configuration25		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-n12\+_firmware::::::::			3.0.0.4.380.7378
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-n12\+:-:::::::*

Configuration26		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt_n12\+_pro_firmware::::::::			3.0.0.4.380.9880
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt_n12\+_pro:-:::::::*

Configuration27		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-n16_firmware::::::::			3.0.0.4.380.7378
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-n16:-:::::::*

Configuration28		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin_project:rt-n300_firmware::::::::			3.0.0.4.380.7378
execution environment
1	cpe:2.3:h:asuswrt-merlin_project:rt-n300:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2017/07/13/1	Exploit Mailing List Third Party Advisory
2	http://www.openwall.com/lists/oss-security/2017/07/13/1	Exploit Mailing List Third Party Advisory
3	https://asuswrt.lostrealm.ca/changelog
4	https://asuswrt.lostrealm.ca/changelog

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

JVN Vulnerability Information

複数の ASUS デバイス用 Asuswrt-Merlin ファームウェアおよび ASUS ファームウェアのネットワークマップの ASUS_Discovery.c におけるスタックベースのバッファオーバーフローの脆弱性

Title	複数の ASUS デバイス用 Asuswrt-Merlin ファームウェアおよび ASUS ファームウェアのネットワークマップの ASUS_Discovery.c におけるスタックベースのバッファオーバーフローの脆弱性
Summary	複数の ASUS デバイス用 Asuswrt-Merlin ファームウェアおよび ASUS ファームウェアのネットワークマップの ASUS_Discovery.c には、スタックベースのバッファオーバーフローの脆弱性が存在します。
Possible impacts	リモートの攻撃者により、デバイスリストの文字列の連結 (strcat) 中に誤って処理される過度に長いデバイス情報を介して、任意のコードを実行される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	July 13, 2017, midnight
Registration Date	Aug. 14, 2017, 7:06 p.m.
Last Update	Aug. 14, 2017, 7:06 p.m.

Affected System

Asuswrt-Merlin firmware project

RT AC1200G ファームウェア

RT AC1200GU ファームウェア

RT AC1900P ファームウェア

RT N12+ PRO ファームウェア

RT-AC1200 ファームウェア

RT-AC3100 ファームウェア

RT-AC3200 ファームウェア

RT-AC51U ファームウェア

RT-AC52U ファームウェア

RT-AC53 ファームウェア

RT-AC5300 ファームウェア

RT-AC55U ファームウェア

RT-AC56U ファームウェア

RT-AC58U ファームウェア

RT-AC66U B1 ファームウェア

RT-AC66U ファームウェア

RT-AC68P ファームウェア

RT-AC68U ファームウェア

RT-AC88U ファームウェア

RT-N12+ ファームウェア

RT-N12D1 ファームウェア

RT-N12HP B1 ファームウェア

RT-N12HP ファームウェア

RT-N16 ファームウェア

RT-N18U ファームウェア

RT-N300 ファームウェア

RT-N56U ファームウェア

RT-N66U ファームウェア

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-11420	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11420
National Vulnerability Database (NVD)
2	CVE-2017-11420	https://nvd.nist.gov/vuln/detail/CVE-2017-11420
関連文書
3	CVE-IDs request for ASUS wiress router Remote Command/Code Execution Vulnerability	http://www.openwall.com/lists/oss-security/2017/07/13/1

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Asuswrt-Merlin
1	Top Page	https://asuswrt.lostrealm.ca/

Change Log

No	Changed Details	Date of change
0	[2017年08月14日] 掲載	Feb. 17, 2018, 10:37 a.m.