Vulnerabilities > CVE-2022-40966 - Improper Authentication vulnerability in Buffalo products

CVSS 8.8 - HIGH

Attack vector

ADJACENT_NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

low complexity

buffalo

CWE-287

NVD

Published: 2022-12-07

Updated: 2022-12-13

Summary

Authentication bypass vulnerability in multiple Buffalo network devices allows a network-adjacent attacker to bypass authentication and access the device. The affected products/versions are as follows: WCR-300 firmware Ver. 1.87 and earlier, WHR-HP-G300N firmware Ver. 2.00 and earlier, WHR-HP-GN firmware Ver. 1.87 and earlier, WPL-05G300 firmware Ver. 1.88 and earlier, WRM-D2133HP firmware Ver. 2.85 and earlier, WRM-D2133HS firmware Ver. 2.96 and earlier, WTR-M2133HP firmware Ver. 2.85 and earlier, WTR-M2133HS firmware Ver. 2.96 and earlier, WXR-1900DHP firmware Ver. 2.50 and earlier, WXR-1900DHP2 firmware Ver. 2.59 and earlier, WXR-1900DHP3 firmware Ver. 2.63 and earlier, WXR-5950AX12 firmware Ver. 3.40 and earlier, WXR-6000AX12B firmware Ver. 3.40 and earlier, WXR-6000AX12S firmware Ver. 3.40 and earlier, WZR-300HP firmware Ver. 2.00 and earlier, WZR-450HP firmware Ver. 2.00 and earlier, WZR-600DHP firmware Ver. 2.00 and earlier, WZR-900DHP firmware Ver. 1.15 and earlier, WZR-1750DHP2 firmware Ver. 2.31 and earlier, WZR-HP-AG300H firmware Ver. 1.76 and earlier, WZR-HP-G302H firmware Ver. 1.86 and earlier, WEM-1266 firmware Ver. 2.85 and earlier, WEM-1266WP firmware Ver. 2.85 and earlier, WLAE-AG300N firmware Ver. 1.86 and earlier, FS-600DHP firmware Ver. 3.40 and earlier, FS-G300N firmware Ver. 3.14 and earlier, FS-HP-G300N firmware Ver. 3.33 and earlier, FS-R600DHP firmware Ver. 3.40 and earlier, BHR-4GRV firmware Ver. 2.00 and earlier, DWR-HP-G300NH firmware Ver. 1.84 and earlier, DWR-PG firmware Ver. 1.83 and earlier, HW-450HP-ZWE firmware Ver. 2.00 and earlier, WER-A54G54 firmware Ver. 1.43 and earlier, WER-AG54 firmware Ver. 1.43 and earlier, WER-AM54G54 firmware Ver. 1.43 and earlier, WER-AMG54 firmware Ver. 1.43 and earlier, WHR-300 firmware Ver. 2.00 and earlier, WHR-300HP firmware Ver. 2.00 and earlier, WHR-AM54G54 firmware Ver. 1.43 and earlier, WHR-AMG54 firmware Ver. 1.43 and earlier, WHR-AMPG firmware Ver. 1.52 and earlier, WHR-G firmware Ver. 1.49 and earlier, WHR-G300N firmware Ver. 1.65 and earlier, WHR-G301N firmware Ver. 1.87 and earlier, WHR-G54S firmware Ver. 1.43 and earlier, WHR-G54S-NI firmware Ver. 1.24 and earlier, WHR-HP-AMPG firmware Ver. 1.43 and earlier, WHR-HP-G firmware Ver. 1.49 and earlier, WHR-HP-G54 firmware Ver. 1.43 and earlier, WLI-H4-D600 firmware Ver. 1.88 and earlier, WS024BF firmware Ver. 1.60 and earlier, WS024BF-NW firmware Ver. 1.60 and earlier, WXR-1750DHP firmware Ver. 2.60 and earlier, WXR-1750DHP2 firmware Ver. 2.60 and earlier, WZR-1166DHP firmware Ver. 2.18 and earlier, WZR-1166DHP2 firmware Ver. 2.18 and earlier, WZR-1750DHP firmware Ver. 2.30 and earlier, WZR2-G300N firmware Ver. 1.55 and earlier, WZR-450HP-CWT firmware Ver. 2.00 and earlier, WZR-450HP-UB firmware Ver. 2.00 and earlier, WZR-600DHP2 firmware Ver. 1.15 and earlier, WZR-600DHP3 firmware Ver. 2.19 and earlier, WZR-900DHP2 firmware Ver. 2.19 and earlier, WZR-AGL300NH firmware Ver. 1.55 and earlier, WZR-AMPG144NH firmware Ver. 1.49 and earlier, WZR-AMPG300NH firmware Ver. 1.51 and earlier, WZR-D1100H firmware Ver. 2.00 and earlier, WZR-G144N firmware Ver. 1.48 and earlier, WZR-G144NH firmware Ver. 1.48 and earlier, WZR-HP-G300NH firmware Ver. 1.84 and earlier, WZR-HP-G301NH firmware Ver. 1.84 and earlier, WZR-HP-G450H firmware Ver. 1.90 and earlier, WZR-S1750DHP firmware Ver. 2.32 and earlier, WZR-S600DHP firmware Ver. 2.19 and earlier, and WZR-S900DHP firmware Ver. 2.19 and earlier.

Vulnerable Configurations

Part	Description	Count
OS	Buffalo Buffalo WCR 300 Firmware 1.86 Buffalo WCR 300 Firmware 1.87 Buffalo WHR HP G300N Firmware - Buffalo WHR HP G300N Firmware 1.96 Buffalo WHR HP G300N Firmware 1.99 Buffalo WHR HP GN Firmware - Buffalo WHR HP GN Firmware 1.86 Buffalo WHR HP GN Firmware 1.87 Buffalo WPL 05G300 Firmware - Buffalo WPL 05G300 Firmware 1.86 Buffalo WPL 05G300 Firmware 1.87 Buffalo WPL 05G300 Firmware 1.88 Buffalo WRM D2133Hp Firmware - Buffalo WRM D2133Hs Firmware - Buffalo WTR M2133Hp Firmware - Buffalo WTR M2133Hs Firmware - Buffalo WXR 1900Dhp Firmware 2.34 Buffalo WXR 1900Dhp2 Firmware 2.48 Buffalo WXR 1900Dhp3 Firmware - Buffalo WXR 5950Ax12 Firmware - Buffalo WXR 6000Ax12B Firmware - Buffalo WXR 6000Ax12S Firmware - Buffalo WZR 300Hp Firmware - Buffalo WZR 300Hp Firmware 1.96 Buffalo WZR 300Hp Firmware 1.99 Buffalo WZR 450Hp Firmware - Buffalo WZR 450Hp Firmware 1.97 Buffalo WZR 450Hp Firmware 1.99 Buffalo WZR 450Hp Firmware 2.00 Buffalo WZR 600Dhp Firmware - Buffalo WZR 600Dhp Firmware 1.97 Buffalo WZR 600Dhp Firmware 1.99 Buffalo WZR 900Dhp Firmware 1.11 Buffalo WZR 1750Dhp2 Firmware 2.28 Buffalo WZR 1750Dhp2 Firmware 2.30 Buffalo WZR HP Ag300H Firmware - Buffalo WZR HP Ag300H Firmware 1.73 Buffalo WZR HP Ag300H Firmware 1.75 Buffalo WZR HP Ag300H Firmware 1.76 Buffalo WZR HP G302H Firmware - Buffalo WZR HP G302H Firmware 1.83 Buffalo WZR HP G302H Firmware 1.85 Buffalo WEM 1266 Firmware - Buffalo WEM 1266 Firmware 2.85 Buffalo WEM 1266Wp Firmware - Buffalo WEM 1266Wp Firmware 2.85 Buffalo Wlae Ag300N Firmware - Buffalo FS 600Dhp Firmware - Buffalo FS 600Dhp Firmware 3.34 Buffalo FS 600Dhp Firmware 3.39 Buffalo FS G300N Firmware - Buffalo FS G300N Firmware 3.13 Buffalo FS G300N Firmware 3.14 Buffalo FS HP G300N Firmware - Buffalo FS HP G300N Firmware 3.32 Buffalo FS HP G300N Firmware 3.33 Buffalo FS R600Dhp Firmware - Buffalo FS R600Dhp Firmware 3.39 Buffalo FS R600Dhp Firmware 3.40 Buffalo BHR 4Grv Firmware - Buffalo BHR 4Grv Firmware 1.96 Buffalo BHR 4Grv Firmware 1.99 Buffalo BHR 4Grv Firmware 2.00 Buffalo DWR HP G300Nh Firmware - Buffalo DWR HP G300Nh Firmware 1.81 Buffalo DWR HP G300Nh Firmware 1.83 Buffalo DWR HP G300Nh Firmware 1.84 Buffalo DWR PG Firmware - Buffalo DWR PG Firmware 1.83 Buffalo HW 450Hp ZWE Firmware - Buffalo HW 450Hp ZWE Firmware 1.91 Buffalo HW 450Hp ZWE Firmware 1.99 Buffalo WER A54G54 Firmware - Buffalo WER A54G54 Firmware 1.43 Buffalo WER Ag54 Firmware - Buffalo WER Am54G54 Firmware - Buffalo WER Amg54 Firmware - Buffalo WHR 300 Firmware - Buffalo WHR 300 Firmware 1.96 Buffalo WHR 300 Firmware 1.99 Buffalo WHR 300Hp Firmware - Buffalo WHR 300Hp Firmware 1.96 Buffalo WHR 300Hp Firmware 1.99 Buffalo WHR 300Hp Firmware 2.00 Buffalo WHR Am54G54 Firmware - Buffalo WHR Amg54 Firmware - Buffalo WHR Ampg Firmware - Buffalo WHR G Firmware - Buffalo WHR G300N Firmware - Buffalo WHR G301N Firmware - Buffalo WHR G301N Firmware 1.86 Buffalo WHR G301N Firmware 1.87 Buffalo WHR G54S Firmware - Buffalo WHR G54S NI Firmware - Buffalo WHR HP Ampg Firmware - Buffalo WHR HP G Firmware - Buffalo WHR HP G54 Firmware - Buffalo WLI H4 D600 Firmware - Buffalo Ws024Bf Firmware - Buffalo Ws024Bf NW Firmware - Buffalo WXR 1750Dhp Firmware 2.42 Buffalo WXR 1750Dhp2 Firmware - Buffalo WZR 1166Dhp Firmware 2.13 Buffalo WZR 1166Dhp2 Firmware 2.13 Buffalo WZR 1750Dhp Firmware 2.28 Buffalo Wzr2 G300N Firmware - Buffalo WZR 450Hp CWT Firmware - Buffalo WZR 450Hp CWT Firmware 1.92 Buffalo WZR 450Hp CWT Firmware 1.99 Buffalo WZR 450Hp CWT Firmware 2.00 Buffalo WZR 450Hp UB Firmware - Buffalo WZR 450Hp UB Firmware 1.96 Buffalo WZR 450Hp UB Firmware 1.99 Buffalo WZR 600Dhp2 Firmware 1.13 Buffalo WZR 600Dhp3 Firmware 2.16 Buffalo WZR 900Dhp2 Firmware 1.13 Buffalo WZR 900Dhp2 Firmware 2.16 Buffalo WZR Agl300Nh Firmware - Buffalo WZR Ampg144Nh Firmware - Buffalo WZR Ampg300Nh Firmware - Buffalo WZR D1100H Firmware - Buffalo WZR D1100H Firmware 1.96 Buffalo WZR D1100H Firmware 1.99 Buffalo WZR G144N Firmware - Buffalo WZR G144Nh Firmware - Buffalo WZR HP G300Nh Firmware - Buffalo WZR HP G300Nh Firmware 1.81 Buffalo WZR HP G300Nh Firmware 1.83 Buffalo WZR HP G301Nh Firmware - Buffalo WZR HP G301Nh Firmware 1.81 Buffalo WZR HP G301Nh Firmware 1.83 Buffalo WZR HP G301Nh Firmware 1.84 Buffalo WZR HP G450H Firmware - Buffalo WZR HP G450H Firmware 1.87 Buffalo WZR HP G450H Firmware 1.89 Buffalo WZR HP G450H Firmware 1.90 Buffalo WZR S1750Dhp Firmware 2.28 Buffalo WZR S600Dhp Firmware 2.16 Buffalo WZR S900Dhp Firmware 2.16	139
Hardware	Buffalo Buffalo WCR 300 - Buffalo WHR HP G300N - Buffalo WHR HP GN - Buffalo WPL 05G300 - Buffalo WRM D2133Hp - Buffalo WRM D2133Hs - Buffalo WTR M2133Hp - Buffalo WTR M2133Hs - Buffalo WXR 1900Dhp - Buffalo WXR 1900Dhp2 - Buffalo WXR 1900Dhp3 - Buffalo WXR 5950Ax12 - Buffalo WXR 6000Ax12B - Buffalo WXR 6000Ax12S - Buffalo WZR 300Hp - Buffalo WZR 450Hp - Buffalo WZR 600Dhp - Buffalo WZR 900Dhp - Buffalo WZR 1750Dhp2 - Buffalo WZR HP Ag300H - Buffalo WZR HP G302H - Buffalo WEM 1266 - Buffalo WEM 1266Wp - Buffalo Wlae Ag300N - Buffalo FS 600Dhp - Buffalo FS G300N - Buffalo FS HP G300N - Buffalo FS R600Dhp - Buffalo BHR 4Grv - Buffalo DWR HP G300Nh - Buffalo DWR PG - Buffalo HW 450Hp ZWE - Buffalo WER A54G54 - Buffalo WER Ag54 - Buffalo WER Am54G54 - Buffalo WER Amg54 - Buffalo WHR 300 - Buffalo WHR 300Hp - Buffalo WHR Am54G54 - Buffalo WHR Amg54 - Buffalo WHR Ampg - Buffalo WHR G - Buffalo WHR G300N - Buffalo WHR G301N - Buffalo WHR G54S - Buffalo WHR G54S NI - Buffalo WHR HP Ampg - Buffalo WHR HP G - Buffalo WHR HP G54 - Buffalo WLI H4 D600 - Buffalo Ws024Bf - Buffalo Ws024Bf NW - Buffalo WXR 1750Dhp - Buffalo WXR 1750Dhp2 - Buffalo WZR 1166Dhp - Buffalo WZR 1166Dhp2 - Buffalo WZR 1750Dhp - Buffalo Wzr2 G300N - Buffalo WZR 450Hp CWT - Buffalo WZR 450Hp UB - Buffalo WZR 600Dhp2 - Buffalo WZR 600Dhp3 - Buffalo WZR 900Dhp2 - Buffalo WZR Agl300Nh - Buffalo WZR Ampg144Nh - Buffalo WZR Ampg300Nh - Buffalo WZR D1100H - Buffalo WZR G144N - Buffalo WZR G144Nh - Buffalo WZR HP G300Nh - Buffalo WZR HP G301Nh - Buffalo WZR HP G450H - Buffalo WZR S1750Dhp - Buffalo WZR S600Dhp - Buffalo WZR S900Dhp -	75

Common Weakness Enumeration (CWE)

CWE-287 - Improper Authentication

Common Attack Pattern Enumeration and Classification (CAPEC)

Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
Exploiting Trust in Client (aka Make the Client Invisible)
An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
Utilizing REST's Trust in the System Resource to Register Man in the Middle
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
Man in the Middle Attack
This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References