Announcement on vulnerabilities

20.08.2018


Security vulnerabilities have been detected in the embedded software of some w24 multichannel routers. It is possible to illicitly expand the user privileges in routers affected by this defect.

The CVE identifiers for the vulnerabilities are:

CVE-2018-14321

CVE-2018-14322

CVE-2018-14323

The vulnerabilities are associated to the privileges of a remote user and can be exploited in the following circumstances:

  • valid usernames and passwords for the remote user are known to the attacker
  • the attacker is network connected to the LAN side of the router.

Note that in the default configuration the connections established from the WAN side are denied and therefore this vulnerability is typically only exploitable to LAN connected attackers.

The affected SW versions are the following:

  • w24e SW versions 4.0.3.x, 4.0.4, 4.0.5.x , 4.0.6.x before the version 4.0.6.4
  • w24h SW versions before version 1.2.0.3

The security vulnerabilities have now been fixed by removing the Remote User functionality.

We recommend our customers to upgrade the software in their routers to the following versions in order to patch these vulnerabilities and to be at the latest software levels:

  • 4.0.6.4 (routers w24e/w24e-S/w24)
  • 1.2.0.3 (routers w24h-S/w24h-I).

The link to the vulnerability bulletin site of the Finnish Communications Regulatory Authority is the following:

https://www.viestintavirasto.fi/en/cybersecurity/v...