Buffalo router vulnerability - need clarification

[dub_it]

I have a (crappy) Buffalo WXR-1900DHP, which seems to have a vulnerability listed on mitre.org. Specifically, it says "Authentication bypass vulnerability in multiple Buffalo network devices allows a network-adjacent attacker to bypass authentication and access the device.".

Could someone clarify what they mean by "adjacent network"? There is no firmware update, and I'm wondering if this is a vulnerability that I should be concerned about, or if it's a theoretical flaw that doesn't mean much in the real world.

Thanks

 

[Justinh]

adjacent attack: An attack that originates from the same layer 2 domain as the victim device. Examples of local networks include Bluetooth, 802.1x, and IEEE 802.11.
source

That's all I know.

 

[Tech9]

Could someone clarify what they mean by "adjacent network"?

In this case - your wife has a theoretical possibility to access the router's settings without you providing the password. I believe you are in greater danger if you for whatever reason refuse to provide the password. This is what it means and what you have to be concerned about in the real world.

 

[L&LD]

What it means is that all your device(s) are potentially hackable (easily), in addition to what @Justinh stated.

Depending on what this 'digital front door' is protecting (or, is supposed to be protecting), it may be time to get a current/hardened router very soon. All your other devices and data are at risk right now. And, you may already be affected, (if the malware installed is clever enough to not disrupt your network too much, for you to notice and take evasive actions).

 

[dub_it]

Thanks guys. In the meantime, I also went to dig deeper about the definitions used in this CVE, and found this description:

"A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g., Bluetooth, IEEE 802.11), or logical (e.g., local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g., a router)."

I guess this means that my network can be attacked if someone is simply within range of my wi-fi, without actually being connected to the network, since they say "physical or logical"?

 

[Tech9]

Buffalo Wxr-1900dhp Firmware : CVE security vulnerabilities, versions and detailed reports

Buffalo Wxr-1900dhp Firmware security vulnerabilities, exploits, metasploit modules, vulnerability statistics and list of versions

www.cvedetails.com

Read the description and what devices are affected. I see firmware Ver. 2.51 for your router available.

Also read Exploit Prediction Scoring System. For both vulnerabilities it's 0.05% and 0.27%. One doesn't apply for your device, the other has a fix.

 

[dub_it]

Buffalo Wxr-1900dhp Firmware : CVE security vulnerabilities, versions and detailed reports

Buffalo Wxr-1900dhp Firmware security vulnerabilities, exploits, metasploit modules, vulnerability statistics and list of versions

www.cvedetails.com

Read the description and what devices are affected. I see firmware Ver. 2.51 for your router available.

Yeah, unfortunately, it's only available for the Japanese version. I even called their US toll-free number, and they told me to not attempt to use the Japanese patch, or I'll brick it. Although, this was a few months ago. Did you find one on the Americas site that I'm not aware of? They have a bunch of different websites, but the one I found was only in Japanese. The English version didn't have anything.

Maybe I'm not interpreting these scores right, but I saw it says 8.8 for the overall score on this page: https://nvd.nist.gov/vuln-metrics/c.../UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST

 

[sfx2000]

I have a (crappy) Buffalo WXR-1900DHP

It's not that "crappy" but it is old, and it's been a long time since it has any firmware updates to deal with 5 years of security issues...

Might consider an update/upgrade for the hardware...

 

[dub_it]

It's not that "crappy" but it is old, and it's been a long time since it has any firmware updates to deal with 5 years of security issues...

Might consider an update/upgrade for the hardware...

I was saying it in a bitter kind of way...from the beginning it's been a pos. The UI is buggy (sometimes only loads part of the page), the radios lost most of their power within 1-2 years, and they've only ever released 1 firmware update from the very beginning. Anyway, I won't buy another Buffalo, that's for sure. But yeah, I agree, it's gonna be time to upgrade soon. Just not sure how pressed for time I am...

 

[Tech9]

Just not sure how pressed for time I am...

The single CVE affecting your router is unlikely to be a serious threat.

 

[RMerlin]

DD-WRT should support that model, that would be an option if Buffalo no longer provides security updates.

 

[dub_it]

Thanks, everyone. I won't worry about it tooooo much for now, but I'll definitely be upgrading when opportunity knocks.