[Japanese]

JVNDB-2017-000198

Installer and self-extracting archive containing the installer of TDB CA TypeA use software may insecurely load Dynamic Link Libraries

Overview

TDB CA TypeA use software provided by Teikoku Databank, Ltd. is a software which provides environment for using system and management function of TDB electronic authentication service TypeA. The installer and the self-extracting archive containing the installer of TDB CA TypeA use software contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


TEIKOKU DATABANK, LTD.
  • TDB CA TypeA use software version 5.2 and earlier, distributed until 10 August 2017

Impact

Arbitrary code may be executed with the privilege of the user invoking the installer or the self-extracting archive.
Solution

[Use the latest self-extracting archive and invoke the installer carefully]
Use the latest self-extracting archive according to the information provided by the developer.
Re-installation of the application is not necessary, because this issue affects the installer only.
Vendor Information

TEIKOKU DATABANK, LTD.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-10824
References

  1. JVN : JVN#18641169
  2. JVN : JVNTA#91240916
  3. National Vulnerability Database (NVD) : CVE-2017-10824
Revision History

  • [2017/08/18]
      Web page was published
    [2018/02/14]
      References : Content was added