Warning: Multiple high severity vulnerabilities in NEC's EXPRESSCLUSTER X and CLUSTERPRO X
CVE-2023-39544 / 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-39545 / 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVE-2023-39546 / 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVE-2023-39547 / 7.5 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-39548 / 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
https://jpn.nec.com/security-info/secinfo/nv23-009_en.html
Risks
Multiple high-severity vulnerabilities are affecting NEC's CLUSTERPRO X and EXPRESSCLUSTER X, a software solution for high availability and remote disaster recovery preventing data loss.
All five vulnerabilities have a HIGH impact on Confidentiality and Integrity.
Similar technologies have been targeted in the past during ransomware incidents where they constituted high-value targets for attackers.
Description
CVE-2023-39544: Missing Authentication
An attacker who can log in to the product can execute arbitrary commands. CVE-2023-39545: Files or Directories Accessible to External Parties An attacker who can log in to the product can obtain files containing credentials via the HTTP API.
CVE-2023-39546: Authentication Bypass
A remote attacker can use the 'Pass-The-Hash Attack' technique and attempt to log in to the product's WebUI as an administrator.
CVE-2023-39547: Capture-replay Authentication Bypass
A remote attacker may obtain sensitive information such as the contents of configuration files.
CVE-2023-39548: Unrestricted Upload of File of any type
A remote attacker can upload and execute an arbitrary script with administrative privileges.
Recommended Actions
Patch
The Centre for Cyber Security Belgium strongly recommends system administrators to visit NEC's Support Portal to download and install the patched versions of this software for Windows or Linux.
Windows: https://www.support.nec.co.jp/View.aspx?id=3150116748
Linux: https://www.support.nec.co.jp/View.aspx?id=3150116750
Mitigate
Apply the following workaround to avoid the impacts of these vulnerabilities:
• Disable "Enable WebManager Service" of WebManager/Cluster WebUI.
If disabling WebManager Service is not possible, applying one of the following workarounds may mitigate the impacts of these vulnerabilities:
• Use firewall and block untrusted communication.
• Allow connection requests to WebManager HTTP Port (Default: 29003/TCP) only from the trusted clients.
• Set the communication scheme of WebManager/Cluster WebUI to HTTPS (for EXPRESSCLUSTER X 4.0 and later).
References
http://jvn.jp/en/vu/JVNVU98954968/index.html
https://www.cve.org/CVERecord?id=CVE-2023-39544
https://www.cve.org/CVERecord?id=CVE-2023-39545
https://www.cve.org/CVERecord?id=CVE-2023-39546
https://www.cve.org/CVERecord?id=CVE-2023-39547
https://www.cve.org/CVERecord?id=CVE-2023-39548