Published:2021/03/22  Last Updated:2021/03/22

JVN#12737530
UNIVERGE Aspire series PBX vulnerable to denial-of-service (DoS)

Overview

UNIVERGE Aspire series PBX provided by NEC Platforms, Ltd. contain a denial-of-service (DoS) vulnerability.

Products Affected

  • UNIVERGE Aspire WX from 1.00 to 3.51
  • UNIVERGE Aspire UX from 1.00 to 9.70
  • UNIVERGE SV9100 from 1.00 to 10.70
  • SL2100 from 1.00 to 3.00

Description

Remote system maintenance feature of UNIVERGE Aspire series PBX contain an issue in handling commands, which may cause a denial-of-service (DoS).

Impact

An attacker may cause system down and reboot of the products by sending a specially crafted command.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
The developer has released the following versions.

  • UNIVERGE Aspire WX 4.00 or the later
  • UNIVERGE Aspire UX 9.80 or the later
  • UNIVERGE SV9100 11.00 or the later
  • SL2100 3.10 or the later

Apply Workarounds
The following workarounds may mitigate the affects of this vulnerability.
  • Disable the remote system maintenance feature.
  • Do not directly connect the products to an external network such as the Internet.
Note that the products' remote system maintenance feature is disabled by default.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score: 3.1
CVSS v2 AV:N/AC:M/Au:S/C:N/I:N/A:P
Base Score: 3.5

Credit

NEC Platforms, Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20677
JVN iPedia JVNDB-2021-000023