Vulnerability Note VU#117604
Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication
Original Release date: 13 Jan 2015 | Last revised: 13 Jan 2015

Overview
Panasonic Arbitrator Back-End Server (BES) uses an unencrypted channel to transmit data.

Description
CWE-319: Cleartext Transmission of Sensitive Information
Panasonic Arbitrator Back-End Server (BES) uses an unencrypted channel to transmit data between the client and server. It has been reported that Active Directory and other sensitive credentials are exposed as a result.

According to Panasonic, the affected products are:
Arbitrator MK 2.0 VPU using USB Wi-Fi
Arbitrator MK 2.0 VPU using Direct LAN
Arbitrator MK 3.0 VPU using Embedded Wi-Fi
Arbitrator MK 3.0 VPU using Direct LAN
The majority of Panasonic Arbitrator clients do not use these two upload methods and are not affected. If you are a Panasonic Arbitrator client that uses your laptop Wi-Fi connection for uploading or a wired connection for uploading you do not need to take any action.

Impact
A malicious user on the network may be able to discover sensitive credentials to other systems.

Solution
Apply an Update
Panasonic has released a statement with details on how to patch the system.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedPanasonicAffected18 Nov 201408 Jan 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal
4.1
E:F/RL:OF/RC:C

Environmental
1.0
CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

http://www.panasonic.com/business/arbitrator/index.asp
http://us2.campaign-archive1.com/?u=8c9cff2e712e3b7d09a07ecef&id=21f059b3ab
http://cwe.mitre.org/data/definitions/319.html

Credit

Thanks to the reporter who wishes to remain anonymous.
This document was written by Chris King.

Other Information

CVE IDs:
Unknown

Date Public:
11 Dec 2014

Date First Published:
13 Jan 2015

Date Last Updated:
13 Jan 2015

Document Revision:
17

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply