Executive Summary

Summary
Title Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication
Informations
Name VU#117604 First vendor Publication 2015-01-13
Vendor VU-CERT Last vendor Modification 2015-01-13
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#117604

Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication

Original Release date: 13 Jan 2015 | Last revised: 13 Jan 2015

Overview

Panasonic Arbitrator Back-End Server (BES) uses an unencrypted channel to transmit data.

Description

CWE-319: Cleartext Transmission of Sensitive Information

Panasonic Arbitrator Back-End Server (BES) uses an unencrypted channel to transmit data between the client and server. It has been reported that Active Directory and other sensitive credentials are exposed as a result.

According to Panasonic, the affected products are:
Arbitrator MK 2.0 VPU using USB Wi-Fi
Arbitrator MK 2.0 VPU using Direct LAN
Arbitrator MK 3.0 VPU using Embedded Wi-Fi
Arbitrator MK 3.0 VPU using Direct LAN
The majority of Panasonic Arbitrator clients do not use these two upload methods and are not affected. If you are a Panasonic Arbitrator client that uses your laptop Wi-Fi connection for uploading or a wired connection for uploading you do not need to take any action.

Impact

A malicious user on the network may be able to discover sensitive credentials to other systems.

Solution

Apply an Update
Panasonic has released a statement with details on how to patch the system.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
PanasonicAffected18 Nov 201408 Jan 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base5.0AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal4.1E:F/RL:OF/RC:C
Environmental1.0CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://www.panasonic.com/business/arbitrator/index.asp
  • http://us2.campaign-archive1.com/?u=8c9cff2e712e3b7d09a07ecef&id=21f059b3ab
  • http://cwe.mitre.org/data/definitions/319.html

Credit

Thanks to the reporter who wishes to remain anonymous.

This document was written by Chris King.

Other Information

  • CVE IDs:Unknown
  • Date Public:11 Dec 2014
  • Date First Published:13 Jan 2015
  • Date Last Updated:13 Jan 2015
  • Document Revision:17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/117604

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 1
Hardware 1
Os 1
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2015-01-16 21:28:38
  • Multiple Updates
2015-01-16 05:32:17
  • Multiple Updates
2015-01-14 00:20:33
  • First insertion