[Japanese]

JVNDB-2016-002299

SaAT Netizen fails to properly verify downloaded installation and update files

Overview

SaAT Netizen contains a vulnerability where files downloaded for installation or an update are not properly verified.

The SaAT Netizen installer and SaAT Netizen contain a vulnerability where downloaded files are not properly verified during the installation or update process.

PinkFlyingWhale BlackWingCat reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.6 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


NetMove Corporation
  • SaAT Netizen ver.1.2.0.8 (Build427) and earlier
  • SaAT Netizen installer ver.1.2.0.424 and earlier

Impact

A successful man-in-the-middle attack may result in a specially crafted file prepared by an attacker being downloaded and executed.
Solution

SaAT Netizen will be automatically updated to the updated version that addresses this vulnerability after rebooting the PC.
The developer has released an updated version of the SaAT Netizen installer that addresses this vulnerbaility.

[Re-install the software]
If running an affected version of SaAT Netizen, uninstall that version and re-install SaAT Netizen using the newest available version of the installer.
Vendor Information

NetMove Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-noinfo) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2016-1203
References

  1. JVN : JVNVU#97339542
  2. National Vulnerability Database (NVD) : CVE-2016-1203
Revision History

  • [2016/12/05]
      Web page was published
  • [2024/06/27]
      CWE was modified
      References : Content was added