JVN#17680667: Multiple vulnerabilities in Unifier and Unifier Cast

Overview

Unifier and Unifier Cast provided by Yokogawa Rental ＆ Lease Corporation contains multiple vulnerabilities.

Products Affected

Unifier Version.5.0 or later, and the patch "20240527" not applied
Unifier Cast Version.5.0 or later, and the patch "20240527" not applied

Description

Unifier and Unifier Cast provided by Yokogawa Rental ＆ Lease Corporation contains multiple vulnerabilities listed below.

Incorrect Default Permissions configured by Cast Launcher (CWE-276)
- CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 7.8
- CVE-2024-23847
Missing Authorization for coejobhook Command Execution (CWE-862)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
- CVE-2024-36246

Impact

An arbitrary code may be executed with LocalSystem privilege.
As a result, a malicious program may be installed, data may be modified or deleted.

Solution

Apply the patch
Apply the patch according to the information provided by the developer.

For more information, refer to the information provided by the developer.

Vendor Status

Vendor	Link
Yokogawa Rental ＆ Lease Corporation	Vulnerability Report for Unifier and Unifier Cast (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2024-23847
Yokogawa Rental ＆ Lease Corporation reported this vulnerability to IPA to notify users of its solution through JVN.
JPCERT/CC and Yokogawa Rental ＆ Lease Corporation coordinated under the Information Security Early Warning Partnership.

CVE-2024-36246
Taisei Ogura of MOTEX Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2024-23847
	CVE-2024-36246
JVN iPedia	JVNDB-2024-000053

JVN#17680667 Multiple vulnerabilities in Unifier and Unifier Cast