NEC UC Channel Update - Safety & Security Adviisories (CVE)
|
As part of NEC's commitment to continuous product
development, we take a proactive approach in addressing the evolving
security landscape.
With a focus on actively responding to
vulnerabilities, we have identified vulnerability (designated
CVE-2023-3741) in the UNIVERGE Communication Products, DT900 Series,
and DT900S Series.
It is crucial to note that this vulnerability carries
a "High" risk level when the products are exposed to the
network without stringent security controls. Please be aware that
this vulnerability affects both intranet and external networks.
|
|
|
|
|
|
Impact on NEC Communication Products
|
|
|
|
|
|
The following products are currently known to be
affected by the reported vulnerability.
The affected version and the type of phone is below.
|
Type of Phone
|
Affected Version
|
Fixed Version
|
|
ITK-6DG-1A(BK) TEL
|
v5.0.0.0 - v5.3.4.3
v5.4.0.0
- v5.6.0.19
|
V2.5.3.0
v5.6.0.20
|
|
ITK-24LCG-1A(BK) TEL
|
|
ITK-32LCG-1A(BK) TEL
|
|
ITK-32TCG-1A(BK) TEL
|
|
ITK-6DGS-1A(BK) TEL
|
|
ITK-32LCGS-1A(BK) TEL
|
|
ITK-32TCGS-1A(BK) TEL
|
To successfully exploit these vulnerabilities, the
attacker is required to send a specified packet.
|
|
|
|
|
|
Mitigation / Recommended Action
|
|
|
|
|
|
To minimise the vulnerability, this notice re-confirms
to carry out three basic-practices. In addition to these, application
of security patches will be required to remove the remaining
vulnerability. The following products are the subject of this notice.
Basic Practices
- In the firewall of
the customer's network environment, block communication with
ports 80 and 443 from the external network.
- Or change the port
number for Web Programming Function by ADMIN settings.
- If web settings are
not used, please disable the Web Programming Function by ADMIN
settings.
Security Patches
- Apply the security
patch firmware provided by NEC Platforms.
- DT900 and DT900S
Series 2.5.3.0 available now
- DT900 and DT900S
Series 5.6.0.20 available now
These basic practices should be carried out
immediately. The security patch should be applied immediately the
patch software is available.
Be aware that as this is an ongoing and continuous
investigation there may be additional vulnerabilities that are
discovered during ongoing testing and investigation and NEC will
provide updates as information becomes available. Additionally, other
products that are not currently considered within this bulletin may
be discovered to be affected.
UNIVERGE BLUE
All DT900S Handsets will automatically update to
V5.6.0.20 when connected to UNIVERGE BLUE. The phones check for
firmware updates between 7pm and 11pm every Wednesday. Updates can
take up to 7 minutes, before phone calls can be made.
All UNIVERGE BLUE DT900s should have updated to the
latest firmware automatically.
|
|
|
|
|