CVE-2020-5684 - OpenCVE

iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Nec	M320 M12e Ism Server M120 M320f

Configuration 1 [-]

AND

cpe:2.3:a:nec:ism_server:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:nec:m120:-:::::::*
	cpe:2.3:h:nec:m12e:-:::::::*
	cpe:2.3:h:nec:m320:-:::::::*
	cpe:2.3:h:nec:m320f:-:::::::*

References

Link	Resource
https://jpn.nec.com/security-info/secinfo/nv20-015.html	Vendor Advisory
https://jvn.jp/en/jp/JVN10100024/index.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2020-12-24T01:20:20

Updated: 2020-12-24T01:20:20

Reserved: 2020-01-06T00:00:00

Link: CVE-2020-5684

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-12-24T02:15:12.957

Modified: 2020-12-28T18:25:19.187

Link: CVE-2020-5684

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"containers": {"cna": {"affected": [{"product": "Management software for NEC Storage disk array system", "vendor": "NEC Corporation", "versions": [{"status": "affected", "version": "iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express"}]}], "descriptions": [{"lang": "en", "value": "iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate."}], "problemTypes": [{"descriptions": [{"description": "Improper server certificate verification", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-24T01:20:20", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jpn.nec.com/security-info/secinfo/nv20-015.html"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/jp/JVN10100024/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2020-5684", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Management software for NEC Storage disk array system", "version": {"version_data": [{"version_value": "iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express"}]}}]}, "vendor_name": "NEC Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper server certificate verification"}]}]}, "references": {"reference_data": [{"name": "https://jpn.nec.com/security-info/secinfo/nv20-015.html", "refsource": "MISC", "url": "https://jpn.nec.com/security-info/secinfo/nv20-015.html"}, {"name": "https://jvn.jp/en/jp/JVN10100024/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/jp/JVN10100024/index.html"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2020-5684", "datePublished": "2020-12-24T01:20:20", "dateReserved": "2020-01-06T00:00:00", "dateUpdated": "2020-12-24T01:20:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nec:ism_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "752ABEA9-A949-4390-A361-CF95BB09F228", "versionEndExcluding": "12.1", "versionStartIncluding": "5.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:nec:m120:-:*:*:*:*:*:*:*", "matchCriteriaId": "759282D6-414A-4D06-9BD1-FCB50D524F5F", "vulnerable": false}, {"criteria": "cpe:2.3:h:nec:m12e:-:*:*:*:*:*:*:*", "matchCriteriaId": "ABEDC9FC-76CE-40C4-9DAE-9CF490D5D08F", "vulnerable": false}, {"criteria": "cpe:2.3:h:nec:m320:-:*:*:*:*:*:*:*", "matchCriteriaId": "B6C0F3F9-244A-477A-91F1-E224A8CF7A23", "vulnerable": false}, {"criteria": "cpe:2.3:h:nec:m320f:-:*:*:*:*:*:*:*", "matchCriteriaId": "7061A1F3-ED55-4906-8E46-7F4BA9B427F1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate."}, {"lang": "es", "value": "El cliente iSM desde versiones V5.1 anteriores a V12.1, que se ejecutan en NEC Storage Manager o NEC Storage Manager Express no verifican un certificado de servidor apropiadamente, el cual permite a un atacante de tipo man-in-the-middle espiar una comunicaci\u00f3n cifrada o alterar la comunicaci\u00f3n por medio de un certificado dise\u00f1ado"}], "id": "CVE-2020-5684", "lastModified": "2020-12-28T18:25:19.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-24T02:15:12.957", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://jpn.nec.com/security-info/secinfo/nv20-015.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN10100024/index.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}