Japan
サイト内の現在位置
Multiple Vulnerabilities in UNIVERGE IX
Number:NV24-009
CVE:CVE-2024-11013、CVE-2024-11014
Overview
Multiple vulnerabilities exist in the UNIVERGE IX/IX-R/IX-V.
- A user logged into the management interface can modify and send WebGUI messages, allowing arbitrary CLI commands to be executed on the device (CVE-2024-11013).
- A user logged into the management interface can access a crafted link, which causes unintended screens to be displayed on the management interface (CVE-2024-11014).
Products Affected
UNIVERGE IX
Affected Version
CVE-2024-11013
- UNIVERGE IX, from Ver9.2 to Ver10.10.21
For Ver10.8 up to Ver10.8.27, for Ver10.9 up to Ver10.9.14
- UNIVERGE IX-R/IX-V, Ver1.2.15 and earlier
CVE-2024-11014
- UNIVERGE IX, from Ver9.2 to Ver10.10.21
For Ver10.8 up to Ver10.8.27, for Ver10.9 up to Ver10.9.14
Solution
Please update.
UNIVERGE IX
https://jpn.nec.com/univerge/ix/Support/Security-Info/JVN/JVN53958863.html
UNIVERGE IX-R/IX-V
https://jpn.nec.com/univerge/ix-nrv/Support/Security-Info/JVN/JVN53958863.html
Alternatively, apply the following workaround:
- Disable the WebGUI.
References
CVE-2024-11013
https://www.cve.org/CVERecord?id=CVE-2024-11013
CVE-2024-11014
https://www.cve.org/CVERecord?id=CVE-2024-11014
Credit
reported by Mr. RyotaK of Flatt Security Inc. for NEC-PSIRT
Update
- 2024/11/29
-
First edition