[Japanese]

JVNDB-2018-000074

DLL planting vulnerability in multiple Yayoi 17 Series products

Overview

Multiple Yayoi 17 Series products provided by Yayoi Co., Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Yayoi Co., Ltd
  • Yayoi Kyuuyo Keisan 17 Ver.20.1.4 and earlier
  • Yayoi Kokyaku Kanri 17 Ver.11.0.2 and earlier
  • Yayoi Aoiro Shinkoku 17 Ver.23.1.1 and earlier
  • Yayoi Kaikei 17 Series Ver.23.1.1 and earlier
  • Yayoi Kyuuyo 17 Ver.20.1.4 and earlier
  • Yayoi Hanbai 17 Series Ver.20.0.2 and earlier

Impact

Arbitrary code may be executed with the privilege of the running application.
Solution

[Update the Software]
Apply the appropriate update according to the information provided by the developer.
Vendor Information

Yayoi Co., Ltd
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2018-0623
  2. CVE-2018-0624
References

  1. JVN : JVN#06813756
  2. JVN : JVNTA#91240916
Revision History

  • [2018/07/20]
      Web page was published