Published:2018/10/09 Last Updated:2018/10/11
JVN#36623716
Music Center for PC improperly verifies software update files
Overview
Music Center for PC improperly verifies software update files
Products Affected
- Music Center for PC version 1.0.02 and earlier
Description
Music Center for PC provided by Sony Video & Sound Products Inc. contains an issue in software update process (CWE-669). As a result, under a man-in-the-middle attack, a specially crafted executable file may be downloaded and executed.
Impact
Under a man-in-the-middle attack, a specially crafted file may be downloaded and executed.
Solution
Update the Software
Update to the latest version using the latest installer directly downloaded from the developer's site, according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Sony Video & Sound Products Inc. | Vulnerable | 2018/10/09 | Sony Video & Sound Products Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score:
7.5
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:H/Au:N/C:P/I:P/A:P
Base Score:
5.1
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
DigiGnome reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2018-0690 |
| JVN iPedia |
JVNDB-2018-000103 |
Update History
- 2018/10/11
- Information under the section "Solution" was revised.