Published:2020/04/20  Last Updated:2020/04/28

JVN#13467854
Toshiba Electronic Devices & Storage software registers unquoted service paths

Overview

Some of Toshiba Electronic Devices & Storage software registers Windows services with unquoted file paths.

Products Affected

HDD Password tool (for Windows) version 1.20.6620 and earlier which are stored in the devices listed below and were downloaded before 2020 May 10 are affected:

  • CANVIO PREMIUM 3TB
    • HD-MB30TY
    • HD-MA30TY
    • HD-MB30TS
    • HD-MA30TS
  • CANVIO PREMIUM 2TB
    • HD-MB20TY
    • HD-MA20TY
    • HD-MB20TS
    • HD-MA20TS
  • CANVIO PREMIUM 1TB
    • HD-MB10TY
    • HD-MA10TY
    • HD-MB10TS
    • HD-MA10TS

  • CANVIO SLIM 1TB
    • HD-SB10TK
    • HD-SB10TS
  • CANVIO SLIM 500GB
    • HD-SB50GK
    • HD-SA50GK
    • HD-SB50GS
    • HD-SA50GS

Description

Some of Toshiba Electronic Devices & Storage software registers Windows services with unquoted file paths (CWE-428).

Impact

When a registered path contains spaces, and a malicious executable is placed on a certain path, it may be executed with the privilege of the Windows service.

Solution

The developer released the update that contains a fix for this vulnerability on 2020 April 28.

Uninstall  and/or update HDD Password tool (for Windows) version 1.20.6620
Unintall HDD Password tool (for Windows) version 1.20.6620 and/or update it to the latest version if you continue using it according to the information provided by the developer.
Uninstalling or applying the update will delete/fix the registration of improper Windows services.

How to uninstall:

  • Delete the password if it is set before uninstalling HDD Password tool (for Windows) version 1.20.6620 and earlier
  • Uninstall the affected software from the PC if installed
  • Delete the installer of the affected software
How to update:
  • Update the software to the latest version
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Toshiba Electronic Devices & Storage Corporation Vulnerable 2020/04/20 Toshiba Electronic Devices & Storage Corporation website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.4
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:L/Au:N/C:P/I:P/A:P
Base Score: 4.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Toshiba Electronic Devices & Storage Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and TOSHIBA ELECTRONIC DEVICES & STORAGE CORPORATION coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5569
JVN iPedia JVNDB-2020-000025

Update History

2020/04/28
Information under the section [Solution] was updated.