search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication

Vulnerability Note VU#117604

Original Release Date: 2015-01-13 | Last Revised: 2015-01-13

Overview

Panasonic Arbitrator Back-End Server (BES) uses an unencrypted channel to transmit data.

Description

CWE-319: Cleartext Transmission of Sensitive Information

Panasonic Arbitrator Back-End Server (BES) uses an unencrypted channel to transmit data between the client and server. It has been reported that Active Directory and other sensitive credentials are exposed as a result.

According to Panasonic, the affected products are:
Arbitrator MK 2.0 VPU using USB Wi-Fi
Arbitrator MK 2.0 VPU using Direct LAN
Arbitrator MK 3.0 VPU using Embedded Wi-Fi
Arbitrator MK 3.0 VPU using Direct LAN
The majority of Panasonic Arbitrator clients do not use these two upload methods and are not affected. If you are a Panasonic Arbitrator client that uses your laptop Wi-Fi connection for uploading or a wired connection for uploading you do not need to take any action.

Impact

A malicious user on the network may be able to discover sensitive credentials to other systems.

Solution

Apply an Update
Panasonic has released a statement with details on how to patch the system.

Vendor Information

117604
Expand all

Panasonic

Notified:  November 18, 2014 Updated:  January 08, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://us2.campaign-archive1.com/?u=8c9cff2e712e3b7d09a07ecef&id=21f059b3ab

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal 4.1 E:F/RL:OF/RC:C
Environmental 1 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to the reporter who wishes to remain anonymous.

This document was written by Chris King.

Other Information

CVE IDs: None
Date Public: 2014-12-11
Date First Published: 2015-01-13
Date Last Updated: 2015-01-13 20:30 UTC
Document Revision: 17

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.