[Japanese]

JVNDB-2024-000124

Multiple vulnerabilities in UNIVERGE IX/IX-R/IX-V series routers

Overview

UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contain multiple vulnerabilities listed below.
  • Command injection (CWE-77) - CVE-2024-11013
  • Cross-site request forgery (WE-352) - CVE-2024-11014


RyotaK of Flatt Security Inc. reported these vulnerabilities to NEC Corporation and coordinated. NEC Corporation and JPCERT/CC published respective advisories in order to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.2 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-11013

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-11014
Affected Products


NEC Corporation
  • UNIVERGE IX series (CVE-2024-11013, CVE-2024-11014)
  • UNIVERGE IX-R/IX-V series (CVE-2024-11013)

As for the details of affected product names and versions, refer to the information provided by the developer.
Impact

  • If a logged-in user sends a crafted WebGUI message, an arbitrary CLI command may be executed (CVE-2024-11013)
  • If a logged-in user accesses a crafted link, unintentional content may be displayed on the product's Web Console (CVE-2024-11014)
Solution

[Update the Software]
Apply the appropriate update according to the information provided by the developer.

[Apply the workaround]
If the update cannot be applied for some reason, disable the affected product's WebGUI.

For more details, refer to the information provided by the developer.
Vendor Information

NEC Corporation
CWE (What is CWE?)

  1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-11013
  2. CVE-2024-11014
References

  1. JVN : JVN#53958863
Revision History

  • [2024/12/02]
      Web page was published

Date Public2024/12/02
Date First Published2024/12/02
Date Last Updated2024/12/02