製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の ASUS デバイス用 Asuswrt-Merlin ファームウェアおよび ASUS ファームウェアにおけるバッファエラーの脆弱性

Title	複数の ASUS デバイス用 Asuswrt-Merlin ファームウェアおよび ASUS ファームウェアにおけるバッファエラーの脆弱性
Summary	複数の ASUS デバイス用 Asuswrt-Merlin ファームウェアおよび ASUS ファームウェアには、バッファエラーの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 10, 2017, midnight
Registration Date	Sept. 15, 2017, 3:39 p.m.
Last Update	Sept. 15, 2017, 3:39 p.m.

CVSS3.0 : 重要
Score	8.8
Vector	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS2.0 : 警告
Score	6.5
Vector	AV:N/AC:L/Au:S/C:P/I:P/A:P

Affected System

Asuswrt-Merlin firmware project

Asuswrt-Merlin ファームウェア

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-12754	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12754
National Vulnerability Database (NVD)
2	CVE-2017-12754	https://nvd.nist.gov/vuln/detail/CVE-2017-12754

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Asuswrt-Merlin
1	Top Page	https://asuswrt.lostrealm.ca/

その他

No	Name	URL
関連文書
1	Wireless-Router-Vulnerability/Asus_DeleteOfflineClientOverflow.txt	https://github.com/coincoin7/Wireless-Router-Vulnerability/blob/master/Asus_DeleteOfflineClientOverflow.txt

Change Log

No	Changed Details	Date of change
0	[2017年09月15日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-12754

Summary	Stack buffer overflow in httpd in Asuswrt-Merlin firmware 380.67_0RT-AC5300 and earlier for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-AC66U_B1, RT-AC58U, RT-AC56U, RT-AC55U, RT-AC52U, RT-AC51U, RT-N18U, RT-N66U, RT-N56U, RT-AC3200, RT-AC3100, RT_AC1200GU, RT_AC1200G, RT-AC1200, RT-AC53, RT-N12HP, RT-N12HP_B1, RT-N12D1, RT-N12+, RT_N12+_PRO, RT-N16, and RT-N300 devices allows remote attackers to execute arbitrary code on the router by sending a crafted http GET request packet that includes a long delete_offline_client parameter in the url.
Publication Date	Aug. 10, 2017, 12:29 a.m.
Registration Date	Jan. 26, 2021, 1:14 p.m.
Last Update	Nov. 21, 2024, 12:10 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin:asuswrt-merlin::::::::			380.67
execution environment
1	cpe:2.3:h:asuswrt-merlin:rt-ac1200:-:::::::*
2	cpe:2.3:h:asuswrt-merlin:rt-ac3100:-:::::::*
3	cpe:2.3:h:asuswrt-merlin:rt-ac3200:-:::::::*
4	cpe:2.3:h:asuswrt-merlin:rt-ac51u:-:::::::*
5	cpe:2.3:h:asuswrt-merlin:rt-ac52u:-:::::::*
6	cpe:2.3:h:asuswrt-merlin:rt-ac53:-:::::::*
7	cpe:2.3:h:asuswrt-merlin:rt-ac5300:-:::::::*
8	cpe:2.3:h:asuswrt-merlin:rt-ac55u:-:::::::*
9	cpe:2.3:h:asuswrt-merlin:rt-ac56u:-:::::::*
10	cpe:2.3:h:asuswrt-merlin:rt-ac58u:-:::::::*
11	cpe:2.3:h:asuswrt-merlin:rt-ac66u:-:::::::*
12	cpe:2.3:h:asuswrt-merlin:rt-ac66u_b1:-:::::::*
13	cpe:2.3:h:asuswrt-merlin:rt-ac68p:-:::::::*
14	cpe:2.3:h:asuswrt-merlin:rt-ac68u:-:::::::*
15	cpe:2.3:h:asuswrt-merlin:rt-ac88u:-:::::::*
16	cpe:2.3:h:asuswrt-merlin:rt-n12\+:-:::::::*
17	cpe:2.3:h:asuswrt-merlin:rt-n12d1:-:::::::*
18	cpe:2.3:h:asuswrt-merlin:rt-n12hp:-:::::::*
19	cpe:2.3:h:asuswrt-merlin:rt-n12hp_b1:-:::::::*
20	cpe:2.3:h:asuswrt-merlin:rt-n16:-:::::::*
21	cpe:2.3:h:asuswrt-merlin:rt-n18u:-:::::::*
22	cpe:2.3:h:asuswrt-merlin:rt-n300:-:::::::*
23	cpe:2.3:h:asuswrt-merlin:rt-n56u:-:::::::*
24	cpe:2.3:h:asuswrt-merlin:rt-n66u:-:::::::*
25	cpe:2.3:h:asuswrt-merlin:rt_ac1200g:-:::::::*
26	cpe:2.3:h:asuswrt-merlin:rt_ac1200gu:-:::::::*
27	cpe:2.3:h:asuswrt-merlin:rt_ac1900p:-:::::::*
28	cpe:2.3:h:asuswrt-merlin:rt_n12\+_pro:-:::::::*

Related information, measures and tools

No	URL	タグ
1	https://asuswrt.lostrealm.ca/changelog	Vendor Advisory
2	https://asuswrt.lostrealm.ca/changelog	Vendor Advisory
3	https://github.com/coincoin7/Wireless-Router-Vulnerability/blob/master/Asus_DeleteOfflineClientOverflow.txt	Third Party Advisory
4	https://github.com/coincoin7/Wireless-Router-Vulnerability/blob/master/Asus_DeleteOfflineClientOverflow.txt	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:asuswrt-merlin:asuswrt-merlin::::::::			380.67
execution environment
1	cpe:2.3:h:asuswrt-merlin:rt-ac1200:-:::::::*
2	cpe:2.3:h:asuswrt-merlin:rt-ac3100:-:::::::*
3	cpe:2.3:h:asuswrt-merlin:rt-ac3200:-:::::::*
4	cpe:2.3:h:asuswrt-merlin:rt-ac51u:-:::::::*
5	cpe:2.3:h:asuswrt-merlin:rt-ac52u:-:::::::*
6	cpe:2.3:h:asuswrt-merlin:rt-ac53:-:::::::*
7	cpe:2.3:h:asuswrt-merlin:rt-ac5300:-:::::::*
8	cpe:2.3:h:asuswrt-merlin:rt-ac55u:-:::::::*
9	cpe:2.3:h:asuswrt-merlin:rt-ac56u:-:::::::*
10	cpe:2.3:h:asuswrt-merlin:rt-ac58u:-:::::::*
11	cpe:2.3:h:asuswrt-merlin:rt-ac66u:-:::::::*
12	cpe:2.3:h:asuswrt-merlin:rt-ac66u_b1:-:::::::*
13	cpe:2.3:h:asuswrt-merlin:rt-ac68p:-:::::::*
14	cpe:2.3:h:asuswrt-merlin:rt-ac68u:-:::::::*
15	cpe:2.3:h:asuswrt-merlin:rt-ac88u:-:::::::*
16	cpe:2.3:h:asuswrt-merlin:rt-n12\+:-:::::::*
17	cpe:2.3:h:asuswrt-merlin:rt-n12d1:-:::::::*
18	cpe:2.3:h:asuswrt-merlin:rt-n12hp:-:::::::*
19	cpe:2.3:h:asuswrt-merlin:rt-n12hp_b1:-:::::::*
20	cpe:2.3:h:asuswrt-merlin:rt-n16:-:::::::*
21	cpe:2.3:h:asuswrt-merlin:rt-n18u:-:::::::*
22	cpe:2.3:h:asuswrt-merlin:rt-n300:-:::::::*
23	cpe:2.3:h:asuswrt-merlin:rt-n56u:-:::::::*
24	cpe:2.3:h:asuswrt-merlin:rt-n66u:-:::::::*
25	cpe:2.3:h:asuswrt-merlin:rt_ac1200g:-:::::::*
26	cpe:2.3:h:asuswrt-merlin:rt_ac1200gu:-:::::::*
27	cpe:2.3:h:asuswrt-merlin:rt_ac1900p:-:::::::*
28	cpe:2.3:h:asuswrt-merlin:rt_n12\+_pro:-:::::::*