JVNDB-2023-000014

NEC PC Settings Tool vulnerable to missing authentication for critical function

PC Settings Tool is an application pre-installed on computers provided by NEC by default. PC Settings Tool Library contained in the application is vulnerable to missing authentication for critical function (CWE-306).

Haruki Yadani of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

The following versions of PC Settings Tool Library contained in PC Settings Tool are affected by this vulnerability.

NEC Corporation

• PC Setup Tool Library versions 10.1.26.0 and earlier (10.x.x.x Series contained in PC Settings Tool)
• PC Setup Tool Library versions 11.0.22.0 and earlier (11.x.x.x Series contained in PC Settings Tool 2.0)

PC Settings Tool is pre-installed on computers provided by NEC by default. For the details of the affected computer model numbers and/or product version numbers, refer to the information provided by the developer.

A general user of the computer which the affected product is installed may alter the registry with an administrative privilege.

[Update the Software]
Update the software to the followings according to the information provided by the developer.

* versions 10.1.27.0 or later (10.x.x.x Series contained in PC Settings Tool)
* versions 11.0.23.0 or later (11.x.x.x Series contained in PC Settings Tool 2.0)

NEC Corporation

• JVN : Information from NEC Corporation
• NEC : A missing authentication vulnerability in PC settings tool

1. Improper Authentication(CWE-287) [IPA Evaluation]

1. CVE-2023-25011

1. JVN : JVN#60320736

• [2023/02/10]
    Web page was published