SB2022100410 - Multiple vulnerabilities in Buffalo network devices

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Hidden functionality (CVE-ID: CVE-2022-39044)

The vulnerability allows a remote user to compromise vulnerable system

The vulnerability exists due to hidden functionality (backdoor) is present in software. A remote administrator on the local network can use this functionality to gain full access to the application and execute arbitrary OS commands on the system.

2) Use of hard-coded credentials (CVE-ID: CVE-2022-34840)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker on the local network can modify configuration settings of the target device.

3) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2022-40966)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests. A remote attacker on the local network can bypass authentication for the target device.

Remediation

Install update from vendor's website.

References

• https://jvn.jp/en/vu/JVNVU92805279/index.html
• https://www.buffalo.jp/news/detail/20221003-01.html