Published:2017/08/31  Last Updated:2017/08/31

JVN#09769017
Multiple Fuji Xerox products may insecurely load Dynamic Link Libraries

Overview

Multiple Fuji Xerox products may insecurely load Dynamic Link Libraries.

Products Affected


CVE-2017-10848

  • Installer for DocuWorks 8.0.7 and earlier
  • Installer for DocuWorks Viewer Light published in Jul 2017 and earlier
CVE-2017-10849
  • Self-extracting document generated by DocuWorks 8.0.7 and earlier
CVE-2017-10850
  • Installer of ART EX Driver for ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271, DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 (Timestamp of code signing is before 12 Apr 2017 02:04 UTC.)
  • Installer of PostScript® Driver + Additional Feature Plug-in + PPD File for ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271, DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 (Timestamp of code signing is before 12 Apr 2017 02:10 UTC.)
  • Installer of XPS Print Driver for ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271, DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 (Timestamp of code signing is before 3 Nov 2017 23:48 UTC.)
  • Installer of ART EX Direct FAX Driver for ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271, DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 (Timestamp of code signing is before 26 May 2017 07:44 UTC.)
  • Installer of Setting Restore Tool for ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271, DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 (Timestamp of code signing is before 25 Aug 2015 08:51 UTC.)
CVE-2017-10851
  • Installer for ContentsBridge Utility for Windows 7.4.0 and earlier

Description

Installers of multiple products, and DocuWorks self-extracting documents provided by Fuji Xerox Co.,Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

Impact

  • Arbitrary code may be executed with the privilege of the administrative user invoking the installer - CVE-2017-10848, CVE-2017-10850, CVE-2017-10851
  • Arbitrary code may be executed with the privilege of the user invoking the self-extracting document generated by DocuWorks - CVE-2017-10849

Solution

CVE-2017-10848, CVE-2017-10850, CVE-2017-10851
Use the latest installer
Use the latest installer according to the information provided by the developer.

CVE-2017-10849
Update the Software
Update to the latest version according to the information provided by the developer.

Apply a Workaround
The self-extracting document generator function is not included in the latest version of the software.
When invoking the DocuWorks self-extracting document file, place the document (.exe) file in a newly created empty folder.
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Fuji Xerox Co.,Ltd. Vulnerable 2017/08/31 Fuji Xerox Co.,Ltd. website

References

  1. Japan Vulnerability Note JVNTA#91240916
    Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

This analysis assumes that the user is tricked into placing a malicious DLL file prepared by an attacker in a specific folder.

Credit

Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-10848
CVE-2017-10849
CVE-2017-10850
CVE-2017-10851
JVN iPedia JVNDB-2017-000219