[Japanese]

JVNDB-2024-003050

KEYENCE VT STUDIO may insecurely load Dynamic Link Libraries

Overview

VT STUDIO provided by KEYENCE CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427, CVE-2024-28099).

KEYENCE CORPORATION reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


KEYENCE CORPORATION.
  • VT STUDIO Ver.8.32 and earlier

Impact

Arbitrary code may be executed with the privilege to run the software.

[Comment]
This analysis assumes that the user is tricked into placing a malicious DLL file prepared by an attacker in a specific folder.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

KEYENCE CORPORATION.
CWE (What is CWE?)

  1. Uncontrolled Search Path Element(CWE-427) [Other]
CVE (What is CVE?)

  1. CVE-2024-28099
References

  1. JVN : JVNVU#92825069
  2. JVN : JVNTA#91240916
Revision History

  • [2024/04/01]
      Web page was published

Date Public2024/03/29
Date First Published2024/04/01
Date Last Updated2024/04/01