Published:2017/07/13  Last Updated:2017/07/13

JVN#42031953
FileCapsule Deluxe Portable and Encrypted Files in Self-Decryption Format created by FileCapsule Deluxe Portable may insecurely load Dynamic Link Libraries

Overview

FileCapsule Deluxe Portable and Encrypted files in self-decryption format created by FileCapsule Deluxe Portable may insecurely load Dynamic Link Libraries.

Products Affected

  • FileCapsule Deluxe Portable Ver.1.0.4.1 and earlier - CVE-2017-2265
  • Encrypted files in self-decryption format created by FileCapsule Deluxe Portable Ver.1.0.4.1 and earlier - CVE-2017-2266
  • FileCapsule Deluxe Portable Ver.1.0.5.1 and earlier - CVE-2017-2267
  • Encrypted files in self-decryption format created by FileCapsule Deluxe Portable Ver.1.0.5.1 and earlier - CVE-2017-2268
  • FileCapsule Deluxe Portable Ver.2.0.9 and earlier - CVE-2017-2269
  • Encrypted files in self-decryption format created by FileCapsule Deluxe Portable Ver.2.0.9 and earlier - CVE-2017-2270

Description

FileCapsule Deluxe Portable is a file encryption software. FileCapsule Deluxe Portable contains the following vulnerabilities.

  • FileCapsule Deluxe Portable insecurely load Dynamic Link Libraries (CWE-427) - CVE-2017-2265, CVE-2017-2267, CVE-2017-2269
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
    CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P Base Score: 6.8
  • Encrypted files in self-decryption format created by FileCapsule Deluxe Portable insecurely load Dynamic Link Libraries (CWE-427) - CVE-2017-2266, CVE-2017-2268, CVE-2017-2270
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
    CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P Base Score: 6.8

Impact

  • Arbitrary code may be executed with the privilege of the user invoking the application. - CVE-2017-2265, CVE-2017-2267, CVE-2017-2269
  • Arbitrary code may be executed with the privilege of the user invoking the Encrypted file in self-decryption format. - CVE-2017-2266, CVE-2017-2268, CVE-2017-2270

Solution

Update the Software
Update to the latest version according to the information provided by the developer. Encrypted files in self-decryption format must be re-created using the latest version.

According to the developer, following actions are necessary when using Windows OS prior to Windows 8.

  • In case of Windows Vista or 7, KB2533623 provided by Microsoft should be applied before using the latest version.
  • In case of Windows XP, users must take care where to place the application or the encrypted files in self-decryption format. Make sure no untrusted files exist in the same folder as the application or the encrypted file in self-decryption format.

For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Tomoki Fuke Vulnerable 2017/07/13 Tomoki Fuke website

References

  1. Japan Vulnerability Notes JVNTA#91240916
    Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-2265
CVE-2017-2266
CVE-2017-2267
CVE-2017-2268
CVE-2017-2269
CVE-2017-2270
JVN iPedia JVNDB-2017-000172