[Japanese]

JVNDB-2017-000223

Install program and Installer of i-filter 6.0 may insecurely load Dynamic Link Libraries and invoke executable files

Overview

i-filter 6.0 provided by Digital Arts Inc. is web filtering and parental control software. The install program is designed to download the installer via the internet and execute it. The i-filter 6.0 install program and installer contain the following vulnerabilities.

Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

CVSS V3 Severity:
Base Metrics: 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2017-10858,CVE-2017-10859.

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

CVSS V3 Severity:
Base Metrics: 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2017-10860.
Affected Products


Digital Arts Inc.
  • i-filter 6.0 install program" file version 1.0.8.1 and earlier
  • i-filter 6.0 installer" timestamp of code signing is before 23 Aug 2017 (JST)

Impact

Arbitrary code may be executed with the privilege of the user running the install program or the installer.
Solution

[Use the latest install program or installer]
Use the latest install prgram or installer according to the information provided by the developer.
Note that the vulnerabilities affect the install program and the installer only, thus users who have already installed i-filter 6.0 do not need to re-install the software.
Vendor Information

Digital Arts Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-10858
  2. CVE-2017-10859
  3. CVE-2017-10860
References

  1. JVN : JVN#75929834
  2. JVN : JVNTA#91240916
  3. National Vulnerability Database (NVD) : CVE-2017-10858
  4. National Vulnerability Database (NVD) : CVE-2017-10859
  5. National Vulnerability Database (NVD) : CVE-2017-10860
Revision History

[2017/09/29]
  Web page was published