JVN#38784555
Multiple vulnerabilities in UNIVERGE SV9500/SV8500 series

Overview

UNIVERGE SV9500/SV8500 series provided by NEC Platforms, Ltd. contain multiple vulnerabilities.

Products Affected

• UNIVERGE SV9500 series from V1 to V7
• UNIVERGE SV8500 series from S6 to S8

Description

Remote system maintenance feature of UNIVERGE SV9500/SV8500 series' Web based remote maintenance console contains multiple vulnerabilities listed below.

• OS Command Injection (CWE-78) - CVE-2020-5685

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	Base Score: 9.6
  CVSS v2	AV:A/AC:L/Au:N/C:P/I:P/A:P	Base Score: 5.8

• Incorrect Implementation of Authentication Algorithm (CWE-303) - CVE-2020-5686

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L	Base Score: 7.6
  CVSS v2	AV:A/AC:L/Au:N/C:P/I:P/A:P	Base Score: 5.8

Impact

• If an attacker who can access the device sends a specially crafted request to a specific URL, an arbitrary command may be executed or a denial-of-service (DoS) condition may be caused - CVE-2020-5685
• If an attacker who can access the device sends a specially crafted request to a specific URL, the remote system maintenance feature may be accessed illegally and information may be disclosed - CVE-2020-5686

Solution

Update the Software
Update to the software according to the information provided by the developer.
Contact your product dealer for details of the update.

Apply the workarounds
Applying the following workarounds may mitigate the impacts of these vulnerabilities.

• Do not directly connect the products to an external network such as the Internet.
• Explicitly create an access rule based on source IP addresses/destination IP addresses/port numbers for network connection to the products.