Information from PIONEER CORPORATION
Vulnerability ID:JVN#17956874
Title:The installers for multiple PIONEER products may insecurely load Dynamic Link Libraries
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
Summary:
Vulnerability in Download Handling within Multiple Pioneer Product Installers
Affected Products:
USB DAC AMP: APS-DA101JS/JR/JGL/JGR
Stellanova Lite: APS-S201JS/JR/JGL/JGR
Stellavova Limited: APS-S202J-LM
Stellanova: APS-S301 Series
Details:
An attacker-prepared DLL is loaded and executed with administrator privileges instead of the legitimate DLL included with the product. This allows arbitrary code execution by the attacker, potentially compromising system integrity and confidentiality.
Potential Impact:
Confidentiality Impact: Since an attacker can execute arbitrary code with administrator privileges, sensitive data such as account information, passwords, credentials, encryption keys, stored browser session data,
and other highly sensitive data may be stolen.
Integrity Impact:
Attackers can tamper with critical system components such as system files, configuration files, the registry, and security policies.
This allows them to maliciously alter system behavior, persist backdoors, or rewrite the system into an unintended state for the victim.
Mitigation Measures:
The product has reached end-of-life with no successor available. We will implement the following actions:
Close the installer download page to prevent new downloads.
For users requiring the download, we will provide a link to an inquiry form on the download page of the public website URL, and guide them individually.
※ When sending the installer to customers, the following warning will be provided:
"Please ensure to thoroughly verify that no suspicious files are present in the same directory
when executing the installer."
