[Japanese]
|
JVNDB-2020-000083
|
Multiple vulnerabilities in Aterm SA3500G
|
Aterm SA3500G provided by NEC Corporation contains multiple vulnerabilities listed below.
* OS command injection (CWE-78) - CVE-2020-5635
* OS command injection (CWE-78) - CVE-2020-5636
* Improper Validation of Integrity Check Value (CWE-354) - CVE-2020-5637
These vulnerabilities were reported by the following persons to IPA, and JPCERT/CC coordinated coordinated with the developer under Information Security Early Warning Partnership.
CVE-2020-5635
Shu Yoshikoshi of NetAgent Co.,Ltd. (LAC Co., Ltd.)
CVE-2020-5636 and CVE-2020-5637
Narumi Hirai of NetAgent Co.,Ltd. (LAC Co., Ltd.)
|
CVSS V3 Severity: Base Metrics 8.8 (High) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity: Base Metrics 5.8 (Medium) [IPA Score]
- Access Vector: Adjacent Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2020-5635
|
CVSS V3 Severity:
Base Metrics:
6.8 (Medium) [IPA Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics:
5.2 (Medium)
[IPA Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2020-5636
|
CVSS V3 Severity:
Base Metrics:
6.8 (Medium) [IPA Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics:
5.2 (Medium)
[IPA Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2020-5637
|
|
NEC Corporation
- Aterm SA3500G firmware versions prior to Ver. 3.5.9
|
|
* If an attacker who can access the device sends a specially crafted request to a specific URL, an arbitrary command may be executed - CVE-2020-5635
* If a user sends a specially crafted request to a specific URL while logged in to the management screen of the device, an arbitrary command may be executed - CVE-2020-5636
* An attacker who can access the management screen of the device may execute a malicious program - CVE-2020-5637
|
[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
|
NEC Corporation
|
- Improper Input Validation(CWE-20) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
|
- CVE-2020-5635
- CVE-2020-5636
- CVE-2020-5637
|
- JVN : JVN#55917325
- National Vulnerability Database (NVD) : CVE-2020-5635
- National Vulnerability Database (NVD) : CVE-2020-5636
- National Vulnerability Database (NVD) : CVE-2020-5637
|
- [2020/12/11]
Web page was published
|