JVN#53958863: Multiple vulnerabilities in UNIVERGE IX/IX-R/IX-V series routers

Overview

UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contain multiple vulnerabilities.

Products Affected

CVE-2024-11013

UNIVERGE IX series
UNIVERGE IX-R/IX-V series

CVE-2024-11014

UNIVERGE IX series

As for the details of affected product names and versions, refer to the information provided by the developer.

Description

UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contain multiple vulnerabilities listed below.

Command injection (CWE-77)
- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
- CVE-2024-11013
Cross-site request forgery (CWE-352)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Base Score 4.3
- CVE-2024-11014

Impact

If a logged-in user sends a crafted WebGUI message, an arbitrary CLI command may be executed (CVE-2024-11013)
If a logged-in user accesses a crafted link, unintentional content may be displayed on the product's Web Console (CVE-2024-11014)

Solution

Update the Software
Apply the appropriate update according to the information provided by the developer.

Apply the workaround
If the update cannot be applied for some reason, disable the affected product's WebGUI.

For more details, refer to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
NEC Corporation	Vulnerable	2024/12/02

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

RyotaK of Flatt Security Inc. reported these vulnerabilities to NEC Corporation and coordinated. NEC Corporation and JPCERT/CC published respective advisories in order to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia	JVNDB-2024-000124

JVN#53958863 Multiple vulnerabilities in UNIVERGE IX/IX-R/IX-V series routers