#VU56693 Command Injection in Sharp NEC Display Solutions products - CVE-2021-20698

Cybersecurity Help s.r.o.

Published: 2021-09-20

Vulnerability identifier: #VU56693

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-20698

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vendor: Sharp NEC Display Solutions

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

UN462A: R1.300

UN462VA: R1.300

UN492S: R1.300

UN492VS: R1.300

UN552A: R1.300

UN552S: R1.300

UN552VS: R1.300

UN552: R1.300

UN552V: R1.300

UX552S: R1.300

UX552: R1.300

V864Q: R2.000

C861Q: R2.000

P754Q: R2.000

V754Q: R2.000

C751Q: R2.000

V984Q: R2.000

C981Q: R2.000

P654Q: R2.000

V654Q: R2.000

C651Q: R2.000

V554Q: R2.000

P404: R3.201

P484: R3.201

P554: R3.201

V404: R3.201

V484: R3.201

V554: R3.201

V404-T: R3.201

V484-T: R3.201

V554-T: R3.201

C501: R2.000

C551: R2.000

C431: R2.000

External links
https://www.sharp-nec-displays.com/global/support/info/A5-1_vulnerability.html
https://jvn.jp/en/jp/JVN42866574/index.html
https://www.sharp-nec-displays.com/dl/en/dp_soft/pd_fm_update/index.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Sharp NEC Display Solutions public displays