search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication

Vulnerability Note VU#117604

Original Release Date: 2015-01-13 | Last Revised: 2015-01-13


Panasonic Arbitrator Back-End Server (BES) uses an unencrypted channel to transmit data.


CWE-319: Cleartext Transmission of Sensitive Information

Panasonic Arbitrator Back-End Server (BES) uses an unencrypted channel to transmit data between the client and server. It has been reported that Active Directory and other sensitive credentials are exposed as a result.

According to Panasonic, the affected products are:
Arbitrator MK 2.0 VPU using USB Wi-Fi
Arbitrator MK 2.0 VPU using Direct LAN
Arbitrator MK 3.0 VPU using Embedded Wi-Fi
Arbitrator MK 3.0 VPU using Direct LAN
The majority of Panasonic Arbitrator clients do not use these two upload methods and are not affected. If you are a Panasonic Arbitrator client that uses your laptop Wi-Fi connection for uploading or a wired connection for uploading you do not need to take any action.


A malicious user on the network may be able to discover sensitive credentials to other systems.


Apply an Update
Panasonic has released a statement with details on how to patch the system.

Vendor Information

Affected   Unknown   Unaffected


Notified:  November 18, 2014 Updated:  January 08, 2015



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal 4.1 E:F/RL:OF/RC:C
Environmental 1 CDP:N/TD:L/CR:ND/IR:ND/AR:ND



Thanks to the reporter who wishes to remain anonymous.

This document was written by Chris King.

Other Information

CVE IDs: None
Date Public: 2014-12-11
Date First Published: 2015-01-13
Date Last Updated: 2015-01-13 20:30 UTC
Document Revision: 17

Sponsored by CISA.