Multiple vulnerabilities in Sharp NEC Display Solutions public displays



Published: 2021-09-20

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Command Injection

EUVDB-ID: #VU56693

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20698

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

UN462A: R1.300

UN462VA: R1.300

UN492S: R1.300

UN492VS: R1.300

UN552A: R1.300

UN552S: R1.300

UN552VS: R1.300

UN552: R1.300

UN552V: R1.300

UX552S: R1.300

UX552: R1.300

V864Q: R2.000

C861Q: R2.000

P754Q: R2.000

V754Q: R2.000

C751Q: R2.000

V984Q: R2.000

C981Q: R2.000

P654Q: R2.000

V654Q: R2.000

C651Q: R2.000

V554Q: R2.000

P404: R3.201

P484: R3.201

P554: R3.201

V404: R3.201

V484: R3.201

V554: R3.201

V404-T: R3.201

V484-T: R3.201

V554-T: R3.201

C501: R2.000

C551: R2.000

C431: R2.000

External links

http://www.sharp-nec-displays.com/global/support/info/A5-1_vulnerability.html
http://jvn.jp/en/jp/JVN42866574/index.html
http://www.sharp-nec-displays.com/dl/en/dp_soft/pd_fm_update/index.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU56694

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20699

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

UN462A: R1.300

UN462VA: R1.300

UN492S: R1.300

UN492VS: R1.300

UN552A: R1.300

UN552S: R1.300

UN552VS: R1.300

UN552: R1.300

UN552V: R1.300

UX552S: R1.300

UX552: R1.300

V864Q: R2.000

C861Q: R2.000

P754Q: R2.000

V754Q: R2.000

C751Q: R2.000

V984Q: R2.000

C981Q: R2.000

P654Q: R2.000

V654Q: R2.000

C651Q: R2.000

V554Q: R2.000

P404: R3.201

P484: R3.201

P554: R3.201

V404: R3.201

V484: R3.201

V554: R3.201

V404-T: R3.201

V484-T: R3.201

V554-T: R3.201

C501: R2.000

C551: R2.000

C431: R2.000

External links

http://www.sharp-nec-displays.com/global/support/info/A5-1_vulnerability.html
http://jvn.jp/en/jp/JVN42866574/index.html
http://www.sharp-nec-displays.com/dl/en/dp_soft/pd_fm_update/index.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###