|
[Japanese]
|
JVNDB-2020-000087
|
Management software for NEC Storage disk array system vulnerable to improper server certificate verification
|
|
Management software for NEC Storage disk array system provided by NEC Corporation is vulnerable to improper server certificate verification (CWE-295).
Masaaki KOBAYASHI reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 4.8 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
NEC Corporation
- iSM Client versions from V5.1 prior to V12.1
|
Running on NEC Storage Manager or NEC Storage Manager Express
|
|
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication or alter the communication.
|
|
[Update the Software]
Update the software to the latest version according to the information provided by the developer.
- In the case where NEC Storage Manager is used and connecting to Management Server from iSM Client:
- Update to iSM Server V12.1 or the later version and to iSM Client V12.1 or the later version.
- In the case where NEC Storage Manager Express is used and connecting to NEC Storage M12e, M120, M320, and M320F from iSM Client:
- Update Storage Control Software to Revision 1216 or the later version, access the disk array from a web browser, download the installer of iSM Client and update it.
|
|
NEC Corporation
Hitachi, Ltd
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2020-5684
|
|
- JVN : JVN#10100024
|
|
- [2020/12/18]
Web page was published
- [2021/07/21]
Vendor Information : Content was added
|
