Multiple vulnerabilities in multiple ELECOM LAN routers

　The JPCERT Coordination Center (JPCERT/CC) (JPCERT/CC) announced on November 30 at the "JAPAN VULNERABILITY NOTES (JVN)" on November 30, the JPCERT Coordination Center (IPA) and the JPCERT Coordination Center (IPA) and JPCERT Coordination Center (JPCERT/CC).did.Mitsui Bussan Secure Direction Co., Ltd. Yasuzo Tsukamoto and Tomonori Yamamoto, Ryo Imaoka, Cyber Security Research Group, and Satoru Nagaoka of Cyber Defense Institute of Corporation have been reported.The affected systems are as follows.・ CVE-2021-20852, CVE-2021-20853, CVE-2021-20854, CVE-2021-20855, CVE-2021-20856WRH-733GBK Farmware v1.02.9 And before WRH-733GWh Farmware v1.02.9 And before, CVE-2021-20857, CVE-2021-20858WRC-2533GHBK-I firmware v1.20 and before, CVE-2021-20859, CVE-2021-20860, CVE-2021-20861WRC-1167GST2 Farmware v1.25 and earlier WRC-1167GST2A firmware v1.25 and earlier WRC-1167GST2H firmware v1.25 and earlier WRC-2533GS2-B firmware v1.52 and before WRC-2533GS2-W firmware v1.52 and earlier WRC-1750GS firmware v1.03 and before WRC-1750GSV Farmware v2.11 and earlier WRC-1900GST firmware v1.03 and earlier WRC-2533GST firmware v1.03 and earlier WRC-2533GSTA firmware v1.03 and before WRC-2533GST2 firmware v1.25 and earlier WRC-2533GST2SP firmware v1.25 and earlier WRC-2533GST2-G firmware v1.25 and before EDWRC-2533GST2 firmware v1.Multiple LAN routers provided by ELECOM Corporation and previously provided the following effects may be affected by the following.・ Buffa overflow (CVE-2021-20852) → Executing any OS command by a third party on the adjacent network that can log in to the management screen of the product ・ OS command injection (CVE-2021-20853, CVE- 2021-20854) → Executing any OS command by a third party on the adjacent network that can log in to the management screen of the product ・ Cross site scripting (CVE-2021-20855, CVE-2021-20856) → Any script is executed on the user's web browser that is logged in to the product ・ Cross Sight scripting (CVE-2021-20857) → Any script is executed on the user who is logged in to the product. Cross Site Scripting (CVE-2021-20858) → Any script is executed on the user's web browser who is logged in to the product ・ OS command injection (CVE-2021-20859) → Log in to the product. Executive OS commands are executed by a third party on the adjacent network-Cross Sitri Quest Fogyelli (CVE-2021-20860) → If the user who has logged in to the product accesses a page Unintended operation ・ Inadequate access limit (CVE-2021-20861) → JVN accessed the management screen without authentication by a third party on the adjacent network, based on information provided by developers. It is calling for updating the firmware to the latest version.