Published:2018/11/29  Last Updated:2018/11/29

JVN#36895151
Panasonic applications register unquoted service paths

Overview

Some Panasonic applications register Windows services with unquoted file paths.

Products Affected

Panasonic PCs delivered in or later than October 2009 with the following pre-installed OSes.

  • Windows 7 (32bit)
  • Windows 7 (64bit)
  • Windows 8 (64bit)
  • Windows 8.1 (64bit)
  • Windows 10 (64bit)

Description

Some pre-installed applications on Panasonic PCs register Windows services with unquoted file paths (CWE-428).

Impact

If a malicious executable is placed on a certain path, it may be executed with the elevated privilege.

Solution

Update the Software
Apply "Remediate Service Path Vulnerability Utility" according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Panasonic Corporation Vulnerable 2018/11/29 Panasonic Corporation website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.4
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:L/Au:N/C:P/I:P/A:P
Base Score: 4.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

The evaluation assumes that a malicious software is placed on a certain path by an attacker.

Credit

Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-16183
JVN iPedia JVNDB-2018-000123