JVN#36895151
Panasonic applications register unquoted service paths
Overview
Some Panasonic applications register Windows services with unquoted file paths.
Products Affected
Panasonic PCs delivered in or later than October 2009 with the following pre-installed OSes.
- Windows 7 (32bit)
- Windows 7 (64bit)
- Windows 8 (64bit)
- Windows 8.1 (64bit)
- Windows 10 (64bit)
Description
Some pre-installed applications on Panasonic PCs register Windows services with unquoted file paths (CWE-428).
Impact
If a malicious executable is placed on a certain path, it may be executed with the elevated privilege.
Solution
Update the Software
Apply "Remediate Service Path Vulnerability Utility" according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Panasonic Corporation | Vulnerable | 2018/11/29 | Panasonic Corporation website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
The evaluation assumes that a malicious software is placed on a certain path by an attacker.
Credit
Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2018-16183 |
| JVN iPedia |
JVNDB-2018-000123 |