JVN#00442488
Multiple vulnerabilities in Ricoh Streamline NX PC Client

Overview

Ricoh Streamline NX PC Client provided by RICOH COMPANY, LTD. contains multiple vulnerabilities.

Products Affected

CVE-2024-36252

• Ricoh Streamline NX PC Client ver.3.6.x and earlier

• Ricoh Streamline NX PC Client ver.3.7.2 and earlier

• Ricoh Streamline NX PC Client ver.3.2.1.19, ver.3.3.1.3, ver.3.3.2.201, ver.3.4.3.1, ver.3.5.1.201 (ver.3.5.1.200op1), ver.3.6.100.53, and ver.3.6.2.1

Description

Ricoh Streamline NX PC Client provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below.

• Improper restriction of communication channel to intended endpoints (CWE-923)
  • CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score 6.3
  • CVE-2024-36252
  • ricoh-2024-000004
• Use of hard-coded credentials (CWE-798)
  • CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 5.1
  • CVE-2024-36480
  • ricoh-2024-000005
• Use of potentially dangerous function (CWE-676)
  • CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 4.0
  • CVE-2024-37124
  • ricoh-2024-000006
• Use of potentially dangerous function (CWE-676)
  • CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 4.0
  • CVE-2024-37387
  • ricoh-2024-000007

Impact

• Arbitrary code may be executed on the PC where the product is installed  (CVE-2024-36252)
• An attacker may obtain LocalSystem Account of the PC where the product is installed. As a result, unintended operations may be performed on the PC. (CVE-2024-36480)
• An attacker may create an arbitrary file in the PC where the product is installed (CVE-2024-37124)
• Files in the PC where the product is installed may be altered (CVE-2024-37387)

Solution

Update the Software
Update the software to the latest version by using the appropriate installer for the fixed version according to the information provided by the developer.
For more information, refer to the information provided by the developer.