Multiple router products in Yamaha require vulnerabilities and firmware updates

JPCERT Coordination Center (JPCERT/CC: Japan Computer Emergency Response Team Cooordination Center) was provided by Yamaha in the "JVNVU#9161784: Multiple vulnerabilities in Yamaha's routers" provided by Yamaha Corporation.The product reported that vulnerabilities were reported.According to the abuse of these vulnerabilities, there is a risk that the configuration information of the product affected by the attacker will be changed or confidential information will be stolen.

The following announcements have been released from Yamaha, NTT East and NTT West for details on the reported vulnerabilities.

The reported vulnerabilities are as follows.

The expected impact on the case of abuse depends on the vulnerability, but all are damaged by accessing a malicious page created by an attacker.If CVE-2021-20843 is abused, the product setting information may be changed.In addition, if CVE-2021-20844 is misused, the product setting information may be changed and the information may be theft.

The affected products and versions are as follows:

In each of the vulnerability, the firmware of the modified version has been released, and the update to the following versions can avoid the effects of vulnerabilities.

If you can't update the firmware for any reason, disabling the HTTP server function or prohibiting access to the web GUI settings from all hosts can avoid the effects of vulnerabilities.