CVE-2020-5684 - OpenCVE

iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nec	Ism Server M120 M12e M320 M320f

Configuration 1 [-]

AND

cpe:2.3:a:nec:ism_server:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:nec:m120:-:::::::*
	cpe:2.3:h:nec:m12e:-:::::::*
	cpe:2.3:h:nec:m320:-:::::::*
	cpe:2.3:h:nec:m320f:-:::::::*

No data.

References

Link	Providers
https://jpn.nec.com/security-info/secinfo/nv20-015.html
https://jvn.jp/en/jp/JVN10100024/index.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2020-12-24T01:20:20

Updated: 2024-08-04T08:39:25.823Z

Reserved: 2020-01-06T00:00:00

Link: CVE-2020-5684

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-24T02:15:12.957

Modified: 2020-12-28T18:25:19.187

Link: CVE-2020-5684

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Management software for NEC Storage disk array system", "vendor": "NEC Corporation", "versions": [{"status": "affected", "version": "iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express"}]}], "descriptions": [{"lang": "en", "value": "iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate."}], "problemTypes": [{"descriptions": [{"description": "Improper server certificate verification", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-24T01:20:20", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jpn.nec.com/security-info/secinfo/nv20-015.html"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/jp/JVN10100024/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2020-5684", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Management software for NEC Storage disk array system", "version": {"version_data": [{"version_value": "iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express"}]}}]}, "vendor_name": "NEC Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper server certificate verification"}]}]}, "references": {"reference_data": [{"name": "https://jpn.nec.com/security-info/secinfo/nv20-015.html", "refsource": "MISC", "url": "https://jpn.nec.com/security-info/secinfo/nv20-015.html"}, {"name": "https://jvn.jp/en/jp/JVN10100024/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/jp/JVN10100024/index.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:39:25.823Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jpn.nec.com/security-info/secinfo/nv20-015.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jvn.jp/en/jp/JVN10100024/index.html"}]}]}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2020-5684", "datePublished": "2020-12-24T01:20:20", "dateReserved": "2020-01-06T00:00:00", "dateUpdated": "2024-08-04T08:39:25.823Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nec:ism_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "752ABEA9-A949-4390-A361-CF95BB09F228", "versionEndExcluding": "12.1", "versionStartIncluding": "5.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:nec:m120:-:*:*:*:*:*:*:*", "matchCriteriaId": "759282D6-414A-4D06-9BD1-FCB50D524F5F", "vulnerable": false}, {"criteria": "cpe:2.3:h:nec:m12e:-:*:*:*:*:*:*:*", "matchCriteriaId": "ABEDC9FC-76CE-40C4-9DAE-9CF490D5D08F", "vulnerable": false}, {"criteria": "cpe:2.3:h:nec:m320:-:*:*:*:*:*:*:*", "matchCriteriaId": "B6C0F3F9-244A-477A-91F1-E224A8CF7A23", "vulnerable": false}, {"criteria": "cpe:2.3:h:nec:m320f:-:*:*:*:*:*:*:*", "matchCriteriaId": "7061A1F3-ED55-4906-8E46-7F4BA9B427F1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate."}, {"lang": "es", "value": "El cliente iSM desde versiones V5.1 anteriores a V12.1, que se ejecutan en NEC Storage Manager o NEC Storage Manager Express no verifican un certificado de servidor apropiadamente, el cual permite a un atacante de tipo man-in-the-middle espiar una comunicaci\u00f3n cifrada o alterar la comunicaci\u00f3n por medio de un certificado dise\u00f1ado"}], "id": "CVE-2020-5684", "lastModified": "2020-12-28T18:25:19.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-24T02:15:12.957", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://jpn.nec.com/security-info/secinfo/nv20-015.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN10100024/index.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}