[Japanese]

JVNDB-2021-000081

Multiple vulnerabilities in Sharp NEC Display Solutions' public displays

Overview

Multiple public displays provided by Sharp NEC Display Solutions, Ltd. contain multiple vulnerabilities listed below.
* Command Injection (CWE-77) - CVE-2021-20698
* Buffer Overflow (CWE-120) - CVE-2021-20699

Howard McGreehan of Aon's Cyber Solutions reported these vulnerabilities to Sharp NEC Display Solutions, Ltd., and Sharp NEC Display Solutions, Ltd. reported them to JPCERT/CC to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [NVD Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 10.0 (High) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2021-20698


CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 10.0 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2021-20699
Affected Products


Sharp NEC Display Solutions, Ltd.
  • C431 firmware version R2.000 and earlier
  • C501 firmware version R2.000 and earlier
  • C551 firmware version R2.000 and earlier
  • C651Q firmware version R2.000 and earlier
  • C751Q firmware version R2.000 and earlier
  • C861Q firmware version R2.000 and earlier (*1)
  • C981Q firmware version R2.000 and earlier (*1)
  • P404 firmware version R3.201 and earlier
  • P484 firmware version R3.201 and earlier
  • P554 firmware version R3.201 and earlier
  • P654Q firmware version R2.000 and earlier
  • P754Q firmware version R2.000 and earlier
  • UN462A firmware version R1.300 and earlier
  • UN462VA firmware version R1.300 and earlier
  • UN492S firmware version R1.300 and earlier
  • UN492VS firmware version R1.300 and earlier
  • UN552 firmware version R1.300 and earlier
  • UN552A firmware version R1.300 and earlier
  • UN552S firmware version R1.300 and earlier
  • UN552V firmware version R1.300 and earlier
  • UN552VS firmware version R1.300 and earlier
  • UX552 firmware version R1.300 and earlier (*1)
  • V404 firmware version R3.201 and earlier
  • V404-T firmware version R3.201 and earlier
  • V484 firmware version R3.201 and earlier
  • V484-T firmware version R3.201 and earlier
  • V554 firmware version R3.201 and earlier
  • V554-T firmware version R3.201 and earlier
  • V554Q firmware version R3.201 and earlier
  • V654Q firmware version R2.000 and earlier
  • V754Q firmware version R2.000 and earlier
  • V864Q firmware version R2.000 and earlier
  • V984Q firmware version R2.000 and earlier

(*1)UX552, C861Q, C981Q are the products sold outside Japan. For more information, refer to the information provided by the developer.
Impact

Arbitrary code may be executed by an attacker who can access the affected display.
Solution

[Update the firmware]
Apply the appropriate firmware update according to the information provided by the developer.
Vendor Information

Sharp NEC Display Solutions, Ltd.
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20698
  2. CVE-2021-20699
References

  1. JVN : JVN#42866574
Revision History

  • [2021/09/17]
      Web page was published