Published:2022/03/10  Last Updated:2022/03/10

JVN#72801744
UNIVERGE WA Series vulnerable to OS command injection

Overview

UNIVERGE WA Series provided by NEC Platforms, Ltd. contains an OS command injection vulnerability.

Products Affected

  • UNIVERGE WA Series Ver8.2.11 and eariler

Description

Remote system maintenance feature of UNIVERGE WA series "Local maintenance console/Remote maintenance console/Web based remote console maintenance" contains an OS command injection vulnerability (CWE-78).

Impact

If an attacker who can access the product sends specific character strings or a specially crafted request to a specific URL, an arbitrary command may be executed or a denial-of-service (DoS) condition may be caused.

Solution

Update the Software
Update the software to the appropriate version according to the information provided by the developer.

  • UNIVERGE WA Series Ver8.2.13 and later
To obtain the update, contact the sales representative where you purchased the product.

Apply the workarounds
Applying the following workarounds may mitigate the impacts of this vulnerability.
  • Explicitly create an access rule based on source IP addresses/destination IP addresses/port numbers for network connections to the product.
  • Change a user name and a password for ID/password authentication from initial settings to prevent unauthorized login attemps from a malicious user.
  • Set the password with a strong string (8 or more characters, mixed case/number is recommended).

Vendor Status

Vendor Status Last Update Vendor Notes
NEC Platforms, Ltd. Vulnerable 2022/03/10

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:P
Base Score: 5.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

NEC Platforms, Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-25621
JVN iPedia JVNDB-2022-000016