[Japanese]

JVNDB-2023-000014

NEC PC Settings Tool vulnerable to missing authentication for critical function

Overview

PC Settings Tool is an application pre-installed on computers provided by NEC by default. PC Settings Tool Library contained in the application is vulnerable to missing authentication for critical function (CWE-306).

Haruki Yadani of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products

The following versions of PC Settings Tool Library contained in PC Settings Tool are affected by this vulnerability.

NEC Corporation
  • PC Setup Tool Library versions 10.1.26.0 and earlier (10.x.x.x Series contained in PC Settings Tool)
  • PC Setup Tool Library versions 11.0.22.0 and earlier (11.x.x.x Series contained in PC Settings Tool 2.0)

PC Settings Tool is pre-installed on computers provided by NEC by default. For the details of the affected computer model numbers and/or product version numbers, refer to the information provided by the developer.
Impact

A general user of the computer which the affected product is installed may alter the registry with an administrative privilege.
Solution

[Update the Software]
Update the software to the followings according to the information provided by the developer.

* versions 10.1.27.0 or later (10.x.x.x Series contained in PC Settings Tool)
* versions 11.0.23.0 or later (11.x.x.x Series contained in PC Settings Tool 2.0)
Vendor Information

NEC Corporation
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-25011
References

  1. JVN : JVN#60320736
  2. National Vulnerability Database (NVD) : CVE-2023-25011
Revision History

  • [2023/02/10]
      Web page was published
  • [2024/06/10]
      References : Content was added