Published:2024/07/30  Last Updated:2024/07/30

JVN#26734798
FFRI AMC vulnerable to OS command injection

Overview

FFRI AMC provided by FFRI Security, Inc. contains an OS command injection vulnerability.

Products Affected

  • FFRI AMC versions 3.4.0 to 3.5.3
The developer states that the following OEM products of FFRI AMC are affected, too.
  • NEC Corporation
    • FFRI AMC for ActSecure χ versions 3.4.0 to 3.5.3
  • Sky Co., Ltd.
    • EDR Plus Pack (Bundled FFRI AMC versions 3.4.0 to 3.5.3)
FFRI yarai cloud, FFRI yarai, and FFRI yarai Home and Business Edition are not affected by this vulnerability.
In addition, FFRI yarai OEM products other than those listed above are also not affected by this vulnerability.

Description

FFRI AMC provided by FFRI Security, Inc. is a management console for the endpoint security product FFRI yarai and ActSecure χ.
FFRI AMC contains an OS command injection vulnerability (CWE-78).
It is exploitable when the notification program setting is enabled, the executable file path is configured with a batch file (.bat) or command file (.cmd), and the file is written in a certain style.

Impact

When an attacker pretends to be a yarai client and sends crafted request, an arbitrary OS command may be executed on the victim FFRI AMC.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The following versions are provided to address the vulnerability:

  • FFRI Security, Inc.
    • FFRI AMC version 3.6.1
  • NEC Corporation
    • FFRI AMC for ActSecure χ version 3.6.1
  • Sky Co., Ltd.
    • EDR Plus Pack (Bundled FFRI AMC version 3.6.1)

Vendor Status

Vendor Link
FFRI Security, Inc. FFRI AMC Remote Code Execution Vulnerability (PDF, Text in Japanese)
NEC Corporation About the existence of vulnerability allows for the execution of arbitrary commands in FFRI AMC for ActSecure chi (in Japanese, login required)
Sky Co., Ltd. Vulnerability on FFRI AMC bundled with EDR Plus Pack (CVE-2024-40895) (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Comment

The scope is assessed as Unchanged (S:U) because, when exploited, an OS command is executed with the same privilege as that of affected product (LocalSystem with the initial configuration).

Credit

FFRI Security, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and FFRI Security, Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-40895
JVN iPedia JVNDB-2024-000077