www.belgium.be Logo of the federal government

Warning: Multiple high severity vulnerabilities in NEC's EXPRESSCLUSTER X and CLUSTERPRO X

Reference: 
Advisory #2023-139
Version: 
1.0
Affected software: 
CLUSTERPRO X Ver5.1 and earlier
EXPRESSCLUSTER X 5.1 and earlier
CLUSTERPRO X SingleServerSafe 5.0 and earlier
EXPRESSCLUSTER X SingleServerSafe 5.0 and earlier
Type: 
Missing authentication, Files or Directories Accessible to External Parties, Authentication Bypass Capture-replay Authentication Bypass, Unrestricted Upload of File with Dangerous Type
CVE/CVSS: 

CVE-2023-39544 / 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-39545 / 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVE-2023-39546 / 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVE-2023-39547 / 7.5 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-39548 / 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://jpn.nec.com/security-info/secinfo/nv23-009_en.html

 

Risks

Multiple high-severity vulnerabilities are affecting NEC's CLUSTERPRO X and EXPRESSCLUSTER X, a software solution for high availability and remote disaster recovery preventing data loss.

All five vulnerabilities have a HIGH impact on Confidentiality and Integrity.

Similar technologies have been targeted in the past during ransomware incidents where they constituted high-value targets for attackers.

Description

CVE-2023-39544: Missing Authentication

An attacker who can log in to the product can execute arbitrary commands. CVE-2023-39545: Files or Directories Accessible to External Parties An attacker who can log in to the product can obtain files containing credentials via the HTTP API.

CVE-2023-39546: Authentication Bypass

A remote attacker can use the 'Pass-The-Hash Attack' technique and attempt to log in to the product's WebUI as an administrator.

CVE-2023-39547: Capture-replay Authentication Bypass

A remote attacker may obtain sensitive information such as the contents of configuration files.

CVE-2023-39548: Unrestricted Upload of File of any type

A remote attacker can upload and execute an arbitrary script with administrative privileges. 

Recommended Actions

Patch

The Centre for Cyber Security Belgium strongly recommends system administrators to visit NEC's Support Portal to download and install the patched versions of this software for Windows or Linux.

Windows: https://www.support.nec.co.jp/View.aspx?id=3150116748
Linux: https://www.support.nec.co.jp/View.aspx?id=3150116750

Mitigate

Apply the following workaround to avoid the impacts of these vulnerabilities:

• Disable "Enable WebManager Service" of WebManager/Cluster WebUI.

If disabling WebManager Service is not possible, applying one of the following workarounds may mitigate the impacts of these vulnerabilities:

• Use firewall and block untrusted communication.
• Allow connection requests to WebManager HTTP Port (Default: 29003/TCP) only from the trusted clients.
• Set the communication scheme of WebManager/Cluster WebUI to HTTPS (for EXPRESSCLUSTER X 4.0 and later).

References

http://jvn.jp/en/vu/JVNVU98954968/index.html

https://www.cve.org/CVERecord?id=CVE-2023-39544
https://www.cve.org/CVERecord?id=CVE-2023-39545

https://www.cve.org/CVERecord?id=CVE-2023-39546
https://www.cve.org/CVERecord?id=CVE-2023-39547
https://www.cve.org/CVERecord?id=CVE-2023-39548