JVNDB-2020-000086

Self-Extracting files created by multiple SEIKO EPSON products may insecurely load Dynamic Link Libraries

Self-Extracting files created by multiple SEIKO EPSON products contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

SEIKO EPSON CORPORATION reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and SEIKO EPSON CORPORATION coordinated under the Information Security Early Warning Partnership.

SEIKO EPSON CORPORATION

• EpsonNet SetupManager versions 2.2.14 and earlier
• Offirio SynergyWare PrintDirector versions 1.6x/1.6y and earlier

Arbitrary code may be executed with the privilege of the user invoking the Self-Extracting files.

[Update the software]
Update the software to the latest version according to the information provided by the developer.
According to the developer, this vulnerability has been already addressed in the following versions.
* EpsonNet SetupManager version 2.2.15
* Offirio SynergyWare PrintDirector versions 1.6.1.1/1.6.1.2

[Apply workarounds]
Applying workarounds may mitigate the impacts of this vulnerability.
* Do not use the Self-Extracting files created by the products with the affected versions.
* If it is unavoidable to excute the Self-Extracting files created by the products with the affected versions, make sure there are no untrusted files in the directory where the Self-Extracting files exist.

SEIKO EPSON CORPORATION

• EPSON : SEIKO EPSON CORPORATION website (in Japanese)

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2020-5681

1. JVN : JVNTA#91240916
2. JVN : JVN#94244575

• [2020/12/18]
    Web page was published