Published:2019/06/21 Last Updated:2019/06/26
JVN#13555032
Multiple vulnerabilities in VAIO Update
Overview
VAIO Update contains multiple vulnerabilities.
Products Affected
- VAIO Update 7.3.0.03150 and earlier
Description
VAIO Update provided by Sony Corporation contains multiple vulnerabilities listed below.
- Improper authorization process (CWE-285) - CVE-2019-5981
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8 CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P Base Score: 6.8 - Improper verification of download file (CWE-669) - CVE-2019-5982
This analysis assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.1 CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:P Base Score: 5.1
Impact
- An attacker may execute arbitrarily executable files with administrative privilege. - CVE-2019-5981
- A successful man-in-the-middle attack may result in a specially crafted file prepared by an attacker being downloaded and executed. - CVE-2019-5982
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Sony Corporation | Vulnerable | 2019/06/21 | Sony Corporation website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Device Security reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-5981 |
|
CVE-2019-5982 |
|
| JVN iPedia |
JVNDB-2019-000040 |
Update History
- 2019/06/26
- CVSS v3 Score for CVE-2019-5982 was corrected.