NEC UC Channel Update - Safety & Security Adviisories (CVE)

NEC UC Channel Update - Safety & Security Adviisories (CVE)


As part of NEC's commitment to continuous product development, we take a proactive approach in addressing the evolving security landscape.

With a focus on actively responding to vulnerabilities, we have identified vulnerability (designated CVE-2023-3741) in the UNIVERGE Communication Products, DT900 Series, and DT900S Series.

It is crucial to note that this vulnerability carries a "High" risk level when the products are exposed to the network without stringent security controls. Please be aware that this vulnerability affects both intranet and external networks.

Impact on NEC Communication Products

The following products are currently known to be affected by the reported vulnerability.

The affected version and the type of phone is below.

Type of Phone

Affected Version

Fixed Version

ITK-6DG-1A(BK) TEL

v5.0.0.0 - v5.3.4.3

v5.4.0.0 - v5.6.0.19




V2.5.3.0

v5.6.0.20




ITK-24LCG-1A(BK) TEL

ITK-32LCG-1A(BK) TEL

ITK-32TCG-1A(BK) TEL

ITK-6DGS-1A(BK) TEL

ITK-32LCGS-1A(BK) TEL

ITK-32TCGS-1A(BK) TEL

To successfully exploit these vulnerabilities, the attacker is required to send a specified packet.

Mitigation / Recommended Action

To minimise the vulnerability, this notice re-confirms to carry out three basic-practices. In addition to these, application of security patches will be required to remove the remaining vulnerability. The following products are the subject of this notice.

Basic Practices

  • In the firewall of the customer's network environment, block communication with ports 80 and 443 from the external network.
  • Or change the port number for Web Programming Function by ADMIN settings.
  • If web settings are not used, please disable the Web Programming Function by ADMIN settings.

Security Patches

  • Apply the security patch firmware provided by NEC Platforms.
    • DT900 and DT900S Series 2.5.3.0 available now
    • DT900 and DT900S Series 5.6.0.20 available now

These basic practices should be carried out immediately. The security patch should be applied immediately the patch software is available.

Be aware that as this is an ongoing and continuous investigation there may be additional vulnerabilities that are discovered during ongoing testing and investigation and NEC will provide updates as information becomes available. Additionally, other products that are not currently considered within this bulletin may be discovered to be affected.

UNIVERGE BLUE

All DT900S Handsets will automatically update to V5.6.0.20 when connected to UNIVERGE BLUE. The phones check for firmware updates between 7pm and 11pm every Wednesday. Updates can take up to 7 minutes, before phone calls can be made.

All UNIVERGE BLUE DT900s should have updated to the latest firmware automatically.