JVNDB-2017-000189

Installers of Sony PaSoRi related software may insecurely load Dynamic Link Libraries

PaSoRi provided by Sony Corporation is contactless IC card reader/writer. Installers of PaSoRi driver and other related software for Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Sony Corporation

• NFC net installer Ver.1.1.0.0 and earlier
• NFC Port Software (formerly FeliCa port software) Version 5.5.0.6 and earlier Products: RC-S310, RC-S320, RC-S330, RC-S370, RC-S380, RC-S380/S
• NFC Port Software (formerly FeliCa port software) Version 5.3.6.7 and earlier Products: RC-S320, RC-S310/J1C, RC-S310/ED4C
• PC/SC activator for Type B Ver.1.2.1.0 and earlier
• SFCard Viewer 2 Ver.2.5.0.0 and earlier

Arbitrary code may be executed with the privilege of the user invoking the installer.

[Use the latest installer]
Use the latest installer according to the information provided by the developer.
Users who already have installed the software do not need to re-install, because this issue affects the installers only.

According to the developer, they have stopped distributing the NFC net installer since July 25th, 2017.

Sony Corporation

• Sony : New installer with security fixes for users of the USB NFC reader for Windows

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2017-2286

1. JVN : JVN#16136413
2. JVN : JVNTA#91240916
3. National Vulnerability Database (NVD) : CVE-2017-2286

• [2017/07/27]
    Web page was published
  [2018/01/24]
    References : Content was added