Published:2021/09/17  Last Updated:2021/09/17

JVN#42866574
Multiple vulnerabilities in Sharp NEC Display Solutions' public displays

Overview

Multiple public displays provided by Sharp NEC Display Solutions, Ltd. contain multiple vulnerabilities.

Products Affected

  • UN462A, UN462VA, UN492S, UN492VS, UN552A, UN552S, UN552VS, UN552, UN552V, UX552(*1) firmware version R1.300 and earlier
  • V864Q, C861Q(*1), P754Q, V754Q, C751Q, V984Q, C981Q(*1), P654Q, V654Q, C651Q, V554Q firmware version R2.000 and earlier
  • P404, P484, P554, V404, V484, V554, V404-T, V484-T, V554-T firmware version R3.201 and earlier
  • C501, C551, C431 firmware version R2.000 and earlier
(*1)UX552, C861Q, C981Q are the products sold outside Japan.

For more information, refer to the information provided by the developer.

Description

Multiple public displays provided by Sharp NEC Display Solutions, Ltd. contain multiple vulnerabilities listed below.

  • Command Injection (CWE-77) - CVE-2021-20698
    CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score:10.0
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score:  9.8
  • Buffer Overflow (CWE-120) - CVE-2021-20699
    CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score:10.0
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score:  9.8

Impact

Arbitrary code may be executed by an attacker who can access the affected display.

Solution

Update the firmware
Apply the appropriate firmware update according to the information provided by the developer.

Vendor Status

Vendor Link
Sharp NEC Display Solutions, Ltd. Vulnerabilities in public displays
Public Display Firmware Update

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Howard McGreehan of Aon's Cyber Solutions reported these vulnerabilities to Sharp NEC Display Solutions, Ltd., and Sharp NEC Display Solutions, Ltd. reported them to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20698
CVE-2021-20699
JVN iPedia JVNDB-2021-000081