Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:55917325
HistoryDec 11, 2020 - 12:00 a.m.

JVN#55917325: Multiple vulnerabilities in Aterm SA3500G

2020-12-1100:00:00
Japan Vulnerability Notes
jvn.jp
28
aterm sa3500g
multiple vulnerabilities
os command injection
cwe-78
cve-2020-5635
cve-2020-5636
cve-2020-5637
improper validation
cwe-354
firmware update
product affected

CVSS2

5.8

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

50.4%

JSON

Aterm SA3500G provided by NEC Corporation contains multiple vulnerabilities listed below.

OS command injection (CWE-78) - CVE-2020-5635

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:P Base Score: 5.8

OS command injection (CWE-78) - CVE-2020-5636

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8
CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P Base Score: 5.2

Improper Validation of Integrity Check Value (CWE-354) - CVE-2020-5637

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8
CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P/td> Base Score: 5.2

Impact

  • If an attacker who can access the device sends a specially crafted request to a specific URL, an arbitrary command may be executed - CVE-2020-5635
  • If a user sends a specially crafted request to a specific URL while logged in to the management screen of the device, an arbitrary command may be executed - CVE-2020-5636
  • An attacker who can access the management screen of the device may execute a malicious program - CVE-2020-5637

Solution

Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.

Products Affected

  • Aterm SA3500G firmware versions prior to Ver. 3.5.9

Related

cve 3
prion 3
cvelist 3
nvd 3
cve
cve
CVE-2020-5637
2020-12-14 03:15:13
CVE-2020-5635
2020-12-14 03:15:13
CVE-2020-5636
2020-12-14 03:15:13
prion
prion
Command injection
2020-12-14 03:15:00
Input validation
2020-12-14 03:15:00
Command injection
2020-12-14 03:15:00
cvelist
cvelist
CVE-2020-5637
2020-12-14 02:25:52
CVE-2020-5635
2020-12-14 02:25:51
CVE-2020-5636
2020-12-14 02:25:51
nvd
nvd
CVE-2020-5635
2020-12-14 03:15:13
CVE-2020-5637
2020-12-14 03:15:13
CVE-2020-5636
2020-12-14 03:15:13

CVSS2

5.8

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

50.4%

JSON
Related for JVN:55917325
cve3prion3cvelist3nvd3