Publish Date: NOV 29, 2023
Revision: 1.0

Vulnerability Overview

This notice relates to vulnerability (designated CVE-2023-3741) which has been found in the UNIVERGE Communication Products, DT900 Series and DT900S Series. This vulnerability has the risk level of “High” if the products are exposed to the network without stringent security controls. Note: this vulnerability affects both intranet and external networks.

Impact on NEC Communication Products

The following products are currently known to be affected by the reported vulnerability.
Please see the affected version and the type of products.

To successfully exploit these vulnerabilities, the attacker is required to send a specified packet.

Mitigation / Recommended Action

To minimize the vulnerability, this notice re-confirms to carry out three basic-practices. In addition to these, application of security patches will be required to remove the remaining vulnerability. The following products are the subject of this notice.

[Basic Practices]

[Security Patches]

These basic practices should be carried out immediately. The security patch should be applied immediately the patch software is available.

Be aware that as this is an ongoing and continuous investigation there may be additional vulnerabilities that are discovered during ongoing testing and investigation and NEC will provide updates as information becomes available. Additionally, other products that are not currently considered within this bulletin may be discovered to be affected.

[Credit]

The vulnerability was found and reported by Mr. Gianluca Altomani(https://gianlu.xyz/) and Mr. Manuel Romei(https://tortel.li/) in Italy.
We highly appreciate their excellent knowledge and professional approach that led to the resolution of this issue.