[Japanese]

JVNDB-2022-001387

Installer of WPS Office for Windows misconfigures the ACL for the installation directory

Overview

Installer of WPS Office for Windows misconfigures the ACL for the installation directory.

When WPS Office for Windows is installed, some service program is registered to the OS, which is invoked with some administrative privilege.
The installer fails to configure properly the ACL for the directory where the service program is installed (CWE-276).

Mohammed Hadi reported this vulnerability to the vendor and JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [Other]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Kingsoft Office Software, Inc.
  • WPS Office for Windows, versions prior to v11.2.0.10258

Impact

A non-administrative user may touch/modify/remove any files in the directory where the service program is installed, resulting to privilege escalation.
Solution

[Update the Software]
Update WPS Office for Windows to the latest version.

According to the developer, the vulnerability is fixed on v11.2.0.10258.
Vendor Information

Kingsoft Office Software, Inc.
CWE (What is CWE?)

  1. Incorrect Default Permissions(CWE-276) [Other]
CVE (What is CVE?)

  1. CVE-2022-25943
References

  1. JVN : JVNVU#90673830
  2. National Vulnerability Database (NVD) : CVE-2022-25943
  3. Related document : GitHub / HadiMed / KINGSOFT-WPS-Office-LPE
Revision History

  • [2022/03/09]
      Web page was published
  • [2022/03/10]
      References : Content was added
  • [2024/06/21]
      References : Content was added