[Japanese]

JVNDB-2011-000102

Multiple vulnerabilities in products that use the Preboot Execution Environment (PXE) SDK

Overview

Products that use the Preboot Execution Environment (PXE) SDK sample code provided by Intel contain multiple vulnerabilities.

Products that use the PXE SDK sample code provided by Intel contain directory traversal and buffer overflow vulnerabilities.

Nobuyuki Kanaya of Fujitsu Laboratories Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 8.3 (High) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products

Products that use the PXE SDK sample may be vulnerable.

For more information, refer to the vendor information under "Vendor Status".
The vendors that have released affected product information are as follows.

NEC Corporation
  • WebSAM DeploymentManager
Hitachi, Ltd
  • JP1/ServerConductor/Deployment Manager Enterprise Edition
  • JP1/ServerConductor/Deployment Manager Standard Edition
  • ServerConductor/DeploymentManager
FUJITSU
  • SystemcastWizard Lite V2.0A and earlier

Impact

Information stored by the product using the PXE SDK sample code may be viewed, or arbitrary code may be executed.
Solution

[Update the software]
Update according to the information provided by the product developer.
Vendor Information

NEC Corporation
  • NEC Security Information : NV11-007 (only in Japanese)
Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS11-026 (only in Japanese)
FUJITSU
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
  2. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2009-0270
References

  1. JVN : JVN#05255562
  2. National Vulnerability Database (NVD) : CVE-2009-0270
Revision History

  • [2011/12/15]
      Web page was published
    [2011/12/20]
      Affected Products : Products was added
      Vendor Information : Contents was added