Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:13464252
HistoryDec 17, 2021 - 12:00 a.m.

JVN#13464252: UNIVERGE DT Series vulnerable to missing encryption of sensitive data

2021-12-1700:00:00
Japan Vulnerability Notes
jvn.jp
34
nec platforms
ip phone manager
data maintenance tool
remote attacker
internal network
packet capture
configuration information
software update
workarounds
vulnerable products
dt900 series
dt920 series
dt830 series.

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

49.0%

JSON

UNIVERGE IP Phone DT Series and PC tools for DT Series maintainers (IP Phone Manager and Data Maintenance Tool) provided by NEC Platforms, Ltd. contain a missing encryption vulnerability (CWE-311).

Impact

If a remote attacker who can access to the internal network setting the product analyzes packets while using the IP Phone Manager or Data Maintenance Tool, the phone configuration information may be obtained. Furthermore, the obtained configuration information may be abused to alter the phone configuration information, which may lead to the IP Phones unusable.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Apply Workarounds
The following workarounds may avoid the impacts of this vulnerability.

  • Operate and manage internal network properly to prevent packet capture
  • Manage the utilization purpose and records properly to prevent IP Phone Manager or Data Maintenance Tool from not being used beyond the maintenance purposes.

Products Affected

  • UNIVERGE IP Phone DT900 Series (DT930)
    • Japanese model
      • ITK-12CG-1D(WH/BK)TEL V2.4.0.0 and prior
      • ITK-24CG-1D(WH/BK)TEL V2.4.0.0 and prior
      • ITK-32CG-1D(WH)TEL V2.4.0.0 and prior
      • ITK-32TCG-1D(WH/BK)TEL V2.4.0.0 and prior
    • North American model
      • ITK-24CG-1(WH/BK)TEL V2.4.0.0 and prior
      • ITK-8TCGX-1(BK)TEL V2.4.0.0 and prior
    • Australian model
      • ITK-24CG-1A(BK)TEL V2.4.0.0 and prior
      • ITK-32TCG-1A(BK)TEL V2.4.0.0 and prior
    • Europe model (EMEA・ASIA)
      • ITK-24CG-1P(WH/BK)TEL V2.4.0.0 and prior
      • ITK-8TCGX-1P(BK)TEL V2.4.0.0 and prior
      • ITK-32TCGX-1P(BK)TEL V2.4.0.0 and prior
    • Chinese model
      • ITK-24CG-1U(WH/BK)TEL V2.4.0.0 and prior
  • UNIVERGE IP Phone DT900 Series (DT920)
    • Japanese model
      • ITK-6DG-1D(WH/BK)TEL V2.4.0.0 and prior
      • ITK-12DG-1D(WH)TEL® V2.4.0.0 and prior
      • ITK-32LCG-1D(WH/BK)TEL V2.4.0.0 and prior
    • North American model
      • ITK-6D-1(BK)TEL V2.4.0.0 and prior
      • ITK-12D-1(BK)TEL V2.4.0.0 and prior
      • ITK-8LCX-1(BK)TEL V2.4.0.0 and prior
    • Australian model
      • ITK-6DG-1A(BK)TEL V2.4.0.0 and prior
      • ITK-32LCG-1A(BK)TEL V2.4.0.0 and prior
    • Europe model (EMEA・ASIA)
      • ITK-6D-1P(BK)TEL V2.4.0.0 and prior
      • ITK-6DG-1P(BK)TEL V2.4.0.0 and prior
      • ITK-12D-1P(BK)TEL V2.4.0.0 and prior
      • ITK-12DG-1P(BK)TEL V2.4.0.0 and prior
      • ITK-8LCX-1P(BK)TEL V2.4.0.0 and prior
      • ITK-8LCG-1P(BK)TEL V2.4.0.0 and prior
      • ITK-32LCG-1P(BK)TEL V2.4.0.0 and prior
    • Chinese model
      • ITK-6D-1U(BK)TEL V2.4.0.0 and prior
      • ITK-6DG-1U(BK)TEL V2.4.0.0 and prior
      • ITK-12D-1U(BK)TEL V2.4.0.0 and prior
      • ITK-12DG-1U(BK)TEL V2.4.0.0 and prior
  • UNIVERGE IP Phone DT800 Series (DT830)
    • Japanese model
      • ITZ-12D-1D(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-24D-1D(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-32D-1D(WH)TEL V5.2.7.0 and prior
      • ITZ-24PA-1D(WH)TEL V5.2.7.0 and prior
      • ITZ-24PD-1D(WH)TEL V5.2.7.0 and prior
      • ITZ-12D-2D(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-24D-2D(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-32D-2D(WH)TEL V5.2.7.0 and prior
      • ITZ-24PA-2D(WH)TEL V5.2.7.0 and prior
      • ITZ-24PD-2D(WH)TEL V5.2.7.0 and prior
      • ITZ-24DG-2D(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-24CG-2D(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-24PAG-2D(WH)TEL V5.2.7.0 and prior
      • ITZ-24PDG-2D(WH)TEL V5.2.7.0 and prior
      • ITZ-32DLK-2D(WH)TEL V5.2.7.0 and prior
    • North American model
      • ITZ-12D-3(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-24D-3(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-8LD-3(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-8LDG-3(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-12DG-3(BK)TEL V5.2.7.0 and prior
      • ITZ-12CG-3(BK)TEL V5.2.7.0 and prior
    • Australian model
      • ITZ-24D-3A(BK)TEL V5.2.7.0 and prior
      • ITZ-8LDG-3A(BK)TEL V5.2.7.0 and prior
      • ITZ-24DG-3A(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-24CG-3A(BK)TEL V5.2.7.0 and prior
    • Europe model (EMEA・ASIA)
      • ITZ-12D-3P(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-24D-3P(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-8LDG-3P(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-12DG-3P(WH/BK)TEL V5.2.7.0 and prior
      • ITZ-12CG-3P(WH/BK)TEL V5.2.7.0 and prior
    • Chinese model
      • ITZ-12D-3P(WH/BK)TEL for China V5.2.7.0 and prior
      • ITZ-24D-3P(WH/BK)TEL for China V5.2.7.0 and prior
      • ITZ-8LDG-3P(WH/BK)TEL for China V5.2.7.0 and prior
      • ITZ-12DG-3P(WH/BK)TEL for China V5.2.7.0 and prior
      • ITZ-12CG-3P(WH/BK)TEL for China V5.2.7.0 and prior
  • UNIVERGE IP Phone DT800 Series (DT820)
    • North American model
      • ITY-6D-1(BK)TEL V3.2.7.0 and prior
      • ITY-8LDX-1(BK)TEL V3.2.7.0 and prior
      • ITY-8LDX-1(BK)TEL (OpEx) V3.2.7.0 and prior
      • ITY-8LCGX-1(BK)TEL V3.2.7.0 and prior
    • Australian model
      • ITY-6DG-1A(BK)TEL V3.2.7.0 and prior
    • Europe model (EMEA・ASIA)
      • ITY-6D-1P(BK)TEL V3.2.7.0 and prior
      • ITY-6DG-1P(BK)TEL V3.2.7.0 and prior
      • ITY-8LDX-1P(BK)TEL V3.2.7.0 and prior
      • ITY-32LDG-1P(BK)TEL V3.2.7.0 and prior
      • ITY-8LCGX-1P(BK)TEL V3.2.7.0 and prior
      • ITY-32LCG-1P(BK)TEL V3.2.7.0 and prior
    • Chinese model
      • ITY-6D-1P(BK)TEL for China V3.2.7.0 and prior
      • ITY-6DG-1P(BK)TEL for China V3.2.7.0 and prior
      • ITY-8LDX-1P(BK)TEL for China V3.2.7.0 and prior
      • ITY-32LDG-1P(BK)TEL for China V3.2.7.0 and prior
      • ITY-8LCGX-1P(BK)TEL for China V3.2.7.0 and prior
      • ITY-32LCG-1P(BK)TEL for China V3.2.7.0 and prior
  • Other (PC tools for DT Series maintainers)
    • IP Phone Manager V8.9.1 and prior
    • Data Maintenance Tool for DT900 Series V5.3.0.0 and prior
    • Data Maintenance Tool for DT800 Series V4.2.0.0 and prior

Related

cve 1
cvelist 1
nvd 1
prion 1
cve
cve
CVE-2021-44746
2022-02-01 15:15:07
cvelist
cvelist
CVE-2021-44746
2022-02-01 14:28:49
nvd
nvd
CVE-2021-44746
2022-02-01 15:15:07
prion
prion
Information disclosure
2022-02-01 15:15:00

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

49.0%

JSON
Related for JVN:13464252
cve1cvelist1nvd1prion1