JVNDB-2020-000087

Management software for NEC Storage disk array system vulnerable to improper server certificate verification

Management software for NEC Storage disk array system provided by NEC Corporation is vulnerable to improper server certificate verification (CWE-295).

Masaaki KOBAYASHI reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

NEC Corporation

• iSM Client versions from V5.1 prior to V12.1

Running on NEC Storage Manager or NEC Storage Manager Express

A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication or alter the communication.

[Update the Software]
Update the software to the latest version according to the information provided by the developer.

• In the case where NEC Storage Manager is used and connecting to Management Server from iSM Client:
  
  • Update to iSM Server V12.1 or the later version and to iSM Client V12.1 or the later version.
    
    • Refer to the information provided by the developer (only in Japanese) for details on how to update.


• In the case where NEC Storage Manager Express is used and connecting to NEC Storage M12e, M120, M320, and M320F from iSM Client:
  
  • Update Storage Control Software to Revision 1216 or the later version, access the disk array from a web browser, download the installer of iSM Client and update it.
    
    • Refer to the information provided by the developer (only in Japanese) for details on how to obtain the installer and how to update.
      

NEC Corporation

• JVN : Information from NEC Corporation

Hitachi, Ltd

• Hitachi : hitachi-sec-2021-217 (in Japanese)

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2020-5684

1. JVN : JVN#10100024
2. National Vulnerability Database (NVD) : CVE-2020-5684

• [2020/12/18]
    Web page was published
• [2021/07/21]
    Vendor Information : Content was added