Installer of Setup file of advance preparation for e-Tax software (WEB version) may insecurely load Dynamic Link Libraries


Installer of Setup file of advance preparation for e-Tax software (WEB version) provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.

BlackWingCat of Pink Flying Whale reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

CVSS V3 Severity:
Base Metrics: 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products

National Tax Agency JAPAN
  • e-Tax Software (WEB version) setup file of advance preparation (1.17.1) and earlier

[Updated on July 5, 2017]
This advisory was first published on June 26, 2017. At that point it was stated that the affected product was version 1.17.0, and updating to version 1.17.1 was the solution. However on July 3, 2017, it was confirmed the fix for this vulnerability incorporated in version 1.17.1 was not complete and the reported vulnerability still exists. Therefore, the description of the affected versions was modified to "1.17.1 and earlier".

Arbitrary code may be executed with the privilege of the user invoking the installer.

[Apply Workaround]
Be sure to check no malicious file exists in the same directory where the installer is placed.
For more details, refer to the information provided by the developer.

Users who already have installed Setup file of advance preparation for e-Tax software (WEB version) do not need to re-install the application, because this issue affects the installer only.
Vendor Information

National Tax Agency JAPAN
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-2226

  1. JVN : JVN#79451345
  2. JVN : JVNTA#91240916
Revision History

  Web page was published
  Affected Products : Product version was modified
  Solution was modified
  Vendor Information : Content was added