[Japanese]

JVNDB-2020-000087

Management software for NEC Storage disk array system vulnerable to improper server certificate verification

Overview

Management software for NEC Storage disk array system provided by NEC Corporation is vulnerable to improper server certificate verification (CWE-295).

Masaaki KOBAYASHI reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.8 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


NEC Corporation
  • iSM Client versions from V5.1 prior to V12.1

Running on NEC Storage Manager or NEC Storage Manager Express
Impact

A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication or alter the communication.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
  • In the case where NEC Storage Manager is used and connecting to Management Server from iSM Client:

  • In the case where NEC Storage Manager Express is used and connecting to NEC Storage M12e, M120, M320, and M320F from iSM Client:
    • Update Storage Control Software to Revision 1216 or the later version, access the disk array from a web browser, download the installer of iSM Client and update it.
Vendor Information

NEC Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5684
References

  1. JVN : JVN#10100024
Revision History

  • [2020/12/18]
      Web page was published