|
[Japanese]
|
JVNDB-2013-000012
|
NEC Universal RAID Utility fails to restrict access permissions
|
|
NEC Universal RAID Utility contains an issue where access permissions are not restricted.
NEC Universal RAID Utility is a software to manage a RAID controller. NEC Universal RAID Utility contains an issue where access permissions are not restricted.
SAKURA Internet Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V2 Severity:
Base Metrics 9.0 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Complete
|
|
|
NEC Corporation
- Universal RAID Utility Ver1.40 (for Windows) Rev 680 and earlier
- Universal RAID Utility Ver2.31 (for Windows/Linux/VMware ESX) Rev 1492 and earlier
- Universal RAID Utility Ver2.5 (for Windows/Linux/VMware ESX) Rev 2244 and earlier
|
|
|
A remote unauthenticated attacker may conduct arbitrary operations against the HDD on the vulunerable RAID system.
|
|
[Update the software]
Update to the latest version according to the information provided by the developer.
[Apply a workaround]
The following workaround may mitigate the affects of this vulnerability.
* Restrict access from 52805/TCP.
|
|
NEC Corporation
|
|
- Permissions(CWE-264) [IPA Evaluation]
|
|
- CVE-2013-0706
|
|
- JVN : JVN#75585394
- National Vulnerability Database (NVD) : CVE-2013-0706
|
|
- [2013/02/21]
Web page was published
[2013/02/26]
Impact was modified
Solution was modified
[2013/03/01]
Vendor Information was added (Vulnerability of Express5800 Series Universal RAID Utility (URU))
|
