|
[Japanese]
|
JVNDB-2021-000023
|
UNIVERGE Aspire series PBX vulnerable to denial-of-service (DoS)
|
|
Remote system maintenance feature of UNIVERGE Aspire series PBX contain an issue in handling commands, which may cause a denial-of-service (DoS).
NEC Platforms, Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 3.1 (Low) [IPA Score]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
CVSS V2 Severity:
Base Metrics 3.5 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Partial
|
|
|
NEC Platforms, Ltd.
- SL2100 from 1.00 to 3.00
- UNIVERGE Aspire UX from 1.00 to 9.70
- UNIVERGE Aspire WX from 1.00 to 3.51
- UNIVERGE SV9100 from 1.00 to 10.70
|
|
|
An attacker may cause system down and reboot of the products by sending a specially crafted command.
|
|
[Update the Software]
Update to the latest version according to the information provided by the developer.
The developer has released the following versions.
*UNIVERGE Aspire UX 9.80 or the later
*UNIVERGE Aspire WX 4.00 or the later
*UNIVERGE SV9100 11.00 or the later
*SL2100 3.10 or the later
[Apply Workarounds]
The following workarounds may mitigate the affects of this vulnerability.
*Disable the remote system maintenance feature.
*Do not directly connect the products to an external network such as the Internet.
Note that the products' remote system maintenance feature is disabled by default.
|
|
NEC Platforms, Ltd.
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2021-20677
|
|
- JVN : JVN#12737530
- National Vulnerability Database (NVD) : CVE-2021-20677
|
|
- [2021/03/22]
Web page was published
|
