Breadcrumb navigation

NEC Security Advisory:
Possibility to eavesdrop on network packets of DT900/DT800 Series

Publish Date: DEC 17, 2021
Revision: 1.0

Vulnerability Overview

This notice relates to vulnerability (designated CVE-2021-44746) which have been found in the UNIVERGE Communication Products for DT900 Series and DT800 Series. This vulnerability is the risk level of “Low” if the products are exposed to the network without stringent security controls. Note that this vulnerability is affected on intranet network only and not affected from the outside network.

Impact on NEC Communication Products

The following products are currently known to be affected by the reported vulnerability.

  • DT900 Series
  • DT800 Series
  • IP Phone Manager (PC tool)
  • Data Maintenance Tool (PC tool)

To successfully exploit this vulnerability, the attacker requires to use a tool that allows network packets (SIP packets) between DT900/DT800 Series and PC tools on intranet to be captured and analyzed. Note that the PC tools are available on intranet network only.

Mitigation / Recommended Action

To minimize the vulnerability, this notice re-confirms to carry out two basic-practices. On the top of these, application of security patches will be required to remove the remaining vulnerability. The following products are the subject of this notice.

[Basic Practices]

  • Limit users of IP Phone Manager/Data Maintenance Tool and record usage history.
  • Do not let anyone parse network packets on intranet.

[Security Patches]

  • DT900 Series 2.5.0.0 available now (Update Procedure: GVT-177591-001)
  • DT800 Series
    • DT830 5.3.0.0 available now (Update Procedure: GVT-170220-001)
    • DT820 3.3.0.0 available now (Update Procedure: GVT-170220-001)
  • IP Phone Manager 8.10.0 available now (Update Procedure: GVT-022200-001)
  • Data Maintenance Tool
    • For DT900 5.4.0.0 available now (Update Procedure: A50-034844-001)
    • For DT800 4.3.0.0 available now (Update Procedure: A50-034844-001)

These basic practices should be carried out immediately. The security patch should be applied as soon as the patch software becomes available.

Please be aware that because this is an ongoing and continuous investigation, there may be additional vulnerabilities that are discovered during ongoing testing and investigation and NEC will provide updates as information becomes available. Additionally, other products that are not currently considered within this bulletin may be discovered to be affected.

[Credit]

The vulnerability is found and reported by Mr. Luke Ketteridge at Government of Western Australia WA Country Health Service in Australia. We appreciate his excellent knowledge and professional approach that led us to solve the problem.