JVN#10100024: Management software for NEC Storage disk array system vulnerable to improper server certificate verification

Management software for NEC Storage disk array system provided by NEC Corporation is vulnerable to improper server certificate verification (CWE-295).

Impact

A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication or alter the communication.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

• In the case where NEC Storage Manager is used and connecting to Management Server from iSM Client:

  • Update to iSM Server V12.1 or the later version and to iSM Client V12.1 or the later version.
    Refer to the information provided by the developer (only in Japanese) for details on how to update.

• In the case where NEC Storage Manager Express is used and connecting to NEC Storage M12e, M120, M320, and M320F from iSM Client:

  • Update Storage Control Software to Revision 1216 or the later version, access the disk array from a web browser, download the installer of iSM Client and update it.
    Refer to the information provided by the developer (only in Japanese) for details on how to obtain the installer and how to update.

Products Affected

• iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express