Vulnerability Note VU#117604

Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication

Original Release date: 13 Jan 2015 | Last revised: 13 Jan 2015

Overview

Panasonic Arbitrator Back-End Server (BES) uses an unencrypted channel to transmit data.

Description

CWE-319: Cleartext Transmission of Sensitive Information

Panasonic Arbitrator Back-End Server (BES) uses an unencrypted channel to transmit data between the client and server. It has been reported that Active Directory and other sensitive credentials are exposed as a result.

According to Panasonic, the affected products are:
Arbitrator MK 2.0 VPU using USB Wi-Fi
Arbitrator MK 2.0 VPU using Direct LAN
Arbitrator MK 3.0 VPU using Embedded Wi-Fi
Arbitrator MK 3.0 VPU using Direct LAN
The majority of Panasonic Arbitrator clients do not use these two upload methods and are not affected. If you are a Panasonic Arbitrator client that uses your laptop Wi-Fi connection for uploading or a wired connection for uploading you do not need to take any action.

Impact

A malicious user on the network may be able to discover sensitive credentials to other systems.

Solution

Apply an Update
Panasonic has released a statement with details on how to patch the system.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
PanasonicAffected18 Nov 201408 Jan 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal 4.1 E:F/RL:OF/RC:C
Environmental 1.0 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to the reporter who wishes to remain anonymous.

This document was written by Chris King.

Other Information

  • CVE IDs: Unknown
  • Date Public: 11 Dec 2014
  • Date First Published: 13 Jan 2015
  • Date Last Updated: 13 Jan 2015
  • Document Revision: 17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.