[Japanese]

JVNDB-2016-000249

SKYSEA Client View vulnerable to arbitrary code execution

Overview

SKYSEA Client View provided by Sky Co., LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View agent program contains an issue in processing authentication on the TCP communication with the management console program, which allows an attacker to execute an arbitrary code on the client PC.

Attacks exploiting this vulnerability have been observed in the wild.

Sky Co., LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Sky Co., LTD. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 10.0 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete

CVSS V3 Severity:
Base Metrics: 9.8 (Critical) [IPA Score]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Sky Co., LTD.
  • SKYSEA Client View Ver.11.221.03 and earlier

Impact

SKYSEA Client View agent program may be manipulated by a remote attacker. As a result, arbitrary code may be executed on the client PC.
Solution

[Update the Software]
Apply the latest update according to the information provided by the developer.
The developer has released SKYSEA Client View Ver.11.300.08h which contains a fix for this vulnerability.

[Apply the Patch]
Apply the patch according to the information provided by the developer.
The patch is available from the developer's support page (registered users only).

[Apply a Workaround]
The following workaround may mitigate the affects of this vulnerability.

* Restrict access to the SKYSEA Client View agent program
Vendor Information

Sky Co., LTD.
CWE (What is CWE?)

  1. No Mapping(CWE-noinfo) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-7836
References

  1. JVN : JVN#84995847
  2. IPA SECURITY ALERTS : Security Alert for Vulnerability in SKYSEA Client View (JVN#84995847 (in Japanese)
  3. JPCERT : JPCERT-AT-2016-0051 (in Japanese)
  4. @Police : Security Alert for Vulnerability in SKYSEA Client View (in Japanese)
Revision History

[2016/12/22]
  Web page was published
[2017/03/10]
  Vendor Information : Content was added