JVNVU#97339542
SaAT Netizen fails to properly verify downloaded installation and update files
Overview
SaAT Netizen contains a vulnerability where files downloaded for installation or an update are not properly verified.
Products Affected
- SaAT Netizen installer ver.1.2.0.424 and earlier
- SaAT Netizen ver.1.2.0.8 (Build427) and earlier
Description
The SaAT Netizen installer and SaAT Netizen contain a vulnerability where downloaded files are not properly verified during the installation or update process.
Impact
A successful man-in-the-middle attack may result in a specially crafted file prepared by an attacker being downloaded and executed.
Solution
SaAT Netizen will be automatically updated to the updated version that addresses this vulnerability after rebooting the PC.
The developer has released an updated version of the SaAT Netizen installer that addresses this vulnerbaility.
Re-install the software
If running an affected version of SaAT Netizen, uninstall that version and re-install SaAT Netizen using the newest available version of the installer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| NetMove Corporation | Vulnerable | 2016/05/19 | NetMove Corporation website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
This analysis assumes that a man-in-the-middle attack results in arbitrary data being sent to the product.
Credit
PinkFlyingWhale 黒翼猫 (BlackWingCat) reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2016-1203 |
| JVN iPedia |
|
Update History
- 2016/11/18
- Information under the section "Credit" was modified.