Published:2022/01/13 Last Updated:2022/01/13
JVN#19826500
PASSWORD MANAGER "MIRUPASS" PW10 / PW20 missing encryption
Overview
PASSWORD MANAGER "MIRUPASS" PW10 / PW20 provided by KING JIM CO.,LTD. contain a missing encryption vulnerability.
Products Affected
- PASSWORD MANAGER "MIRUPASS" PW10 firmware all versions
- PASSWORD MANAGER "MIRUPASS" PW20 firmware all versions
Description
PASSWORD MANAGER "MIRUPASS" PW10 / PW20 provided by KING JIM CO.,LTD. contain a missing encryption vulnerability (CWE-311).
Impact
A user who can physically access the products may obtain the stored passwords.
Solution
Stop using the products
The developer states that the products are no longer supported, therefore stop using the products.
It is highly recommended to erase all stored passwords before disposing the product.
Vendor Status
| Vendor | Link |
| KING JIM CO.,LTD. | About the vulnerability in Password Manager "MIRUPASS" PW10 / PW20 (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score:
4.6
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:L/AC:L/Au:N/C:C/I:N/A:N
Base Score:
4.9
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2022-0183 |
| JVN iPedia |
JVNDB-2022-000005 |