サイト内の現在位置

Multiple Vulnerabilities in UNIVERGE IX

Number:NV24-009
CVE:CVE-2024-11013、CVE-2024-11014

Overview

Multiple vulnerabilities exist in the UNIVERGE IX/IX-R/IX-V.  
- A user logged into the management interface can modify and send WebGUI messages, allowing arbitrary CLI commands to be executed on the device (CVE-2024-11013).  
- A user logged into the management interface can access a crafted link, which causes unintended screens to be displayed on the management interface (CVE-2024-11014).

Products Affected

UNIVERGE IX

Affected Version

CVE-2024-11013  
  - UNIVERGE IX, from Ver9.2 to Ver10.10.21  
     For Ver10.8 up to Ver10.8.27, for Ver10.9 up to Ver10.9.14  
  - UNIVERGE IX-R/IX-V, Ver1.2.15 and earlier  

CVE-2024-11014  
  - UNIVERGE IX, from Ver9.2 to Ver10.10.21  
     For Ver10.8 up to Ver10.8.27, for Ver10.9 up to Ver10.9.14

Solution

Please update.
UNIVERGE IX
https://jpn.nec.com/univerge/ix/Support/Security-Info/JVN/JVN53958863.html
UNIVERGE IX-R/IX-V
https://jpn.nec.com/univerge/ix-nrv/Support/Security-Info/JVN/JVN53958863.html

Alternatively, apply the following workaround:  
- Disable the WebGUI.

References

Credit

reported by Mr. RyotaK of Flatt Security Inc. for NEC-PSIRT

Update

2024/11/29
First edition