[Japanese]

JVNDB-2020-000021

Multiple Yamaha network devices vulnerable to denial-of-service (DoS)

Overview

Multiple network devices provided by Yamaha Corporation contain a denial-of-service (DoS) vulnerability.

NIWA Naoya of Amano Lab, Dept. of Information and Computer Science, Faculty of Science and Technology, Keio University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.9 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.1 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Complete
Affected Products


Yamaha Corporation
  • FWX120 firmware Rev.11.03.27 and earlier
  • NVR500 firmware Rev.11.00.38 and earlier
  • NVR510 firmware Rev.15.01.14 and earlier
  • NVR700W firmware Rev.15.00.15 and earlier
  • RTX1200 firmware Rev.10.01.76 and earlier
  • RTX1210 firmware Rev.14.01.33 and earlier
  • RTX3500 firmware Rev.14.00.26 and earlier
  • RTX5000 firmware Rev.14.00.26 and earlier
  • RTX810 firmware Rev.11.01.33 and earlier
  • RTX830 firmware Rev.15.02.09 and earlier

Impact

A remote attacker may be able to cause a denial-of-service (DoS) condition.
Solution

[Update the firmware]
Update to the latest version of firmware according to the information provided by the developer.

[Apply a workaround]
If the latest version of firmware cannot be obtained or firmware update cannot be applied, one of the following workaround may mitigate the impact of this vulnerability as the workaround can stop the output of filter's log.

*Stop the output of filter's log by using the ip filter command to set pass-nolog, reject-nolog and restrict-nolog.
*Set syslog notice and stop output of NOTICE level's log.
Vendor Information

Yamaha Corporation NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5548
References

  1. JVN : JVN#38732359
  2. National Vulnerability Database (NVD) : CVE-2020-5548
Revision History

  • [2020/03/31]
      Web page was published
  • [2020/04/01]
      NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION update status
  • [2020/04/01]
      NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION update status

Date Public2020/03/31
Date First Published2020/03/31
Date Last Updated2020/04/01