JVNVU#98954968
Multiple vulnerabilities in EXPRESSCLUSTER X

Overview

WebManager/Cluster WebUI of EXPRESSCLUSTER X provided by NEC Corporation contains multiple vulnerabilities.

Products Affected

• EXPRESSCLUSTER 1.0
• EXPRESSCLUSTER 2.0
• EXPRESSCLUSTER 2.1
• EXPRESSCLUSTER 3.0
• EXPRESSCLUSTER 3.1
• EXPRESSCLUSTER 3.2
• EXPRESSCLUSTER 3.3
• EXPRESSCLUSTER 4.0
• EXPRESSCLUSTER 4.1
• EXPRESSCLUSTER 4.2
• EXPRESSCLUSTER 4.3
• EXPRESSCLUSTER 5.0
• EXPRESSCLUSTER 5.1
• EXPRESSCLUSTER SingleServerSafe 1.0
• EXPRESSCLUSTER SingleServerSafe 2.0
• EXPRESSCLUSTER SingleServerSafe 2.1
• EXPRESSCLUSTER SingleServerSafe 3.0
• EXPRESSCLUSTER SingleServerSafe 3.1
• EXPRESSCLUSTER SingleServerSafe 3.2
• EXPRESSCLUSTER SingleServerSafe 3.3
• EXPRESSCLUSTER SingleServerSafe 4.0
• EXPRESSCLUSTER SingleServerSafe 4.1
• EXPRESSCLUSTER SingleServerSafe 4.2
• EXPRESSCLUSTER SingleServerSafe 4.3
• EXPRESSCLUSTER SingleServerSafe 5.0
• EXPRESSCLUSTER SingleServerSafe 5.1

The developer states that both the Windows edition and Linux edition are affected.

Description

WebManager/Cluster WebUI of EXPRESSCLUSTER X provided by NEC Corporation contains multiple vulnerabilities listed below.

• Missing authorization (CWE-862) - CVE-2023-39544

  CVSS v3

  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  Base Score: 8.8

• Files or directories accessible to external parties (CWE-552) - CVE-2023-39545

  CVSS v3

  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

  Base Score: 7.8

• Use of password hash instead of password for authentication (CWE-836) - CVE-2023-39546

  CVSS v3

  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

  Base Score: 7.4

• Authentication bypass by Capture-replay (CWE-294) - CVE-2023-39547

  CVSS v3

  CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

  Base Score: 7.5

• Unrestricted upload of file with dangerous type (CWE-434) - CVE-2023-39548

  CVSS v3

  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

  Base Score: 8.1

Impact

• An attacker who can log in to the product may execute an arbitrary command - CVE-2023-39544
• An attacker who can log in to the product may obtain files containing credentials via HTTP API - CVE-2023-39545
• A remote attacker may execute 'Pass The Hash Attack', and atempt to log in to the product's WebUI as an administrator - CVE-2023-39546
• A remote attacker may obtain the information such as configuration files - CVE-2023-39547
• A remote attacker may execute an arbitrary script with an administrative privilege - CVE-2023-39548

Solution

Update the Software
For EXPRESSCLUSTER X 5.x, update the software to the latest version according to the information provided by the developer.
The developer has released the following versions that contain fixes for the vulnerabilities.

• EXPRESSCLUSTER X 5.1.2
• EXPRESSCLUSTER X SingleServerSafe 5.1.2

Apply the Patch
For EXPRESSCLUSTER X 3.x and EXPRESSCLUSTER X 4.x, the developer has released patches that contain fixes for these vulnerabilities.

Apply the Workaround
Apply the following workarounds to avoid the impacts of these vulnerabilities.

• Disable "Enable WebManager Service" of WebManager/Cluster WebUI

In the case disabling WebManager Service is impossible, applying one of the following workarounds may mitigate the impacts of these vulnerabilities.

• Use firewall and block untrusted communication
• Allow connection requests to WebManager HTTP Port (Default: 29003/TCP) only from the trusted clients
• Set the communication scheme of WebManager/Cluster WebUI to HTTPS (for EXPRESSCLUSTER X 4.0 and later)

For more information, refer to the information provided by the developer.