Published:2020/12/18  Last Updated:2021/01/04

JVN#10100024
Management software for NEC Storage disk array system vulnerable to improper server certificate verification

Overview

Management software for NEC Storage disk array system is vulnerable to improper server certificate verification.

Products Affected

  • iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express

Description

Management software for NEC Storage disk array system provided by NEC Corporation is vulnerable to improper server certificate verification (CWE-295).

Impact

A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication or alter the communication.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

  • In the case where NEC Storage Manager is used and connecting to Management Server from iSM Client:

  • In the case where NEC Storage Manager Express is used and connecting to NEC Storage M12e, M120, M320, and M320F from iSM Client:
    • Update Storage Control Software to Revision 1216 or the later version, access the disk array from a web browser, download the installer of iSM Client and update it.
      Refer to the information provided by the developer (only in Japanese) for details on how to obtain the installer and how to update.

Vendor Status

Vendor Status Last Update Vendor Notes
NEC Corporation Vulnerable 2020/12/18

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score: 4.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N
Base Score: 4.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Masaaki KOBAYASHI reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5684
JVN iPedia JVNDB-2020-000087

Update History

2021/01/04
Update the URL of the information provided by the developer in Solution.