[Japanese]

JVNDB-2024-000074

Multiple vulnerabilities in SKYSEA Client View

Overview

SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool.
SKYSEA Client View contains multiple vulnerabilities listed below.

  • Improper access control in the specific process (CWE-266) - CVE-2024-41139

  • Origin validation error in shared memory data exchanges (CWE-346) - CVE-2024-41143

  • Path traversal (CWE-22) - CVE-2024-41726



Ruslan Sayfiev, and Denis Faiustov of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to Sky Co.,LTD. and coordinated. Sky Co.,LTD. and JPCERT/CC published respective advisories in order to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-41139


CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-41143


CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-41726
Affected Products


Sky Co., LTD.
  • SKYSEA Client View versions from Ver.6.010.06 to Ver.19.210.04e (CVE-2024-41139)
  • SKYSEA Client View versions from Ver.3.013.00 to Ver.19.210.04e (CVE-2024-41143)
  • SKYSEA Client View versions from Ver.15.200.13i to Ver.19.210.04e (CVE-2024-41726)

Impact


  • If a user who can log in to the PC where the product's Windows client is installed places a specially crafted DLL file in a specific folder, arbitrary code may be executed with SYSTEM privilege (CVE-2024-41139)

  • An arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product's Windows client is installed (CVE-2024-41143)

  • An arbitrary executable file may be executed by a user who can log in to the PC where the product's Windows client is installed (CVE-2024-41726)

Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released SKYSEA Client View Ver.19.3 that addresses these vulnerabilities.

[Apply the patch]
For SKYSEA Client View Ver.17.0 to Ver.19.210.04e, the developer has released patches that contain fixes for these vulnerabilities.
For more details, refer to the information provided by the developer.
Vendor Information

Sky Co., LTD.
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-41139
  2. CVE-2024-41143
  3. CVE-2024-41726
References

  1. JVN : JVN#84326763
Revision History

  • [2024/07/29]
      Web page was published
  • [2024/07/31]
      Affected Products : Product version was modified
      Solution was modified