[Japanese]

JVNDB-2024-000028

Multiple vulnerabilities in SKYSEA Client View

Overview

SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool.
SKYSEA Client View contains multiple vulnerabilities listed below.

* Improper access control in the specific folder (CWE-284) - CVE-2024-21805
* Improper access control in the resident process (CWE-284) - CVE-2024-24964

CVE-2024-21805
Ken Kitahara of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2024-24964
Ruslan Sayfiev, and Denis Faiustov of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Sky Co.,LTD. and coordinated. Sky Co.,LTD. and JPCERT/CC published respective advisories in order to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2024-24964

CVSS V3 Severity:
Base Metrics 3.3 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 1.7 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-21805
Affected Products


Sky Co., LTD.
  • SKYSEA Client View versions from Ver.16.100 prior to Ver.19.2
  • SKYSEA Client View versions from Ver.11.220 prior to Ver.19.2

Impact

* An arbitrary file may be placed in the specific folder by a user who can log in to the PC where the product's Windows client is installed. In case the file is a specially crafted DLL file, arbitrary code may be executed with SYSTEM privilege - CVE-2024-21805
* An arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product's Windows client is installed - CVE-2024-24964
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released SKYSEA Client View Ver.19.2 that addresses these vulnerabilities.

[Apply the patch]
For SKYSEA Client View Ver.17.0 to Ver.19.101, the developer has released patches that contain fixes for these vulnerabilities.
For more details, refer to the information provided by the developer.
Vendor Information

Sky Co., LTD.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-21805
  2. CVE-2024-24964
References

  1. JVN : JVN#54451757
Revision History

  • [2024/03/07]
      Web page was published

Date Public2024/03/07
Date First Published2024/03/07
Date Last Updated2024/03/07