JVN#42031953
FileCapsule Deluxe Portable and Encrypted Files in Self-Decryption Format created by FileCapsule Deluxe Portable may insecurely load Dynamic Link Libraries
Overview
FileCapsule Deluxe Portable and Encrypted files in self-decryption format created by FileCapsule Deluxe Portable may insecurely load Dynamic Link Libraries.
Products Affected
- FileCapsule Deluxe Portable Ver.1.0.4.1 and earlier - CVE-2017-2265
- Encrypted files in self-decryption format created by FileCapsule Deluxe Portable Ver.1.0.4.1 and earlier - CVE-2017-2266
- FileCapsule Deluxe Portable Ver.1.0.5.1 and earlier - CVE-2017-2267
- Encrypted files in self-decryption format created by FileCapsule Deluxe Portable Ver.1.0.5.1 and earlier - CVE-2017-2268
- FileCapsule Deluxe Portable Ver.2.0.9 and earlier - CVE-2017-2269
- Encrypted files in self-decryption format created by FileCapsule Deluxe Portable Ver.2.0.9 and earlier - CVE-2017-2270
Description
FileCapsule Deluxe Portable is a file encryption software. FileCapsule Deluxe Portable contains the following vulnerabilities.
- FileCapsule Deluxe Portable insecurely load Dynamic Link Libraries (CWE-427) - CVE-2017-2265, CVE-2017-2267, CVE-2017-2269
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8 CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P Base Score: 6.8 - Encrypted files in self-decryption format created by FileCapsule Deluxe Portable insecurely load Dynamic Link Libraries (CWE-427) - CVE-2017-2266, CVE-2017-2268, CVE-2017-2270
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8 CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P Base Score: 6.8
Impact
- Arbitrary code may be executed with the privilege of the user invoking the application. - CVE-2017-2265, CVE-2017-2267, CVE-2017-2269
- Arbitrary code may be executed with the privilege of the user invoking the Encrypted file in self-decryption format. - CVE-2017-2266, CVE-2017-2268, CVE-2017-2270
Solution
Update the Software
Update to the latest version according to the information provided by the developer. Encrypted files in self-decryption format must be re-created using the latest version.
According to the developer, following actions are necessary when using Windows OS prior to Windows 8.
- In case of Windows Vista or 7, KB2533623 provided by Microsoft should be applied before using the latest version.
- In case of Windows XP, users must take care where to place the application or the encrypted files in self-decryption format. Make sure no untrusted files exist in the same folder as the application or the encrypted file in self-decryption format.
For more information, refer to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Tomoki Fuke | Vulnerable | 2017/07/13 | Tomoki Fuke website |
References
-
Japan Vulnerability Notes JVNTA#91240916
Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2017-2265 |
|
CVE-2017-2266 |
|
|
CVE-2017-2267 |
|
|
CVE-2017-2268 |
|
|
CVE-2017-2269 |
|
|
CVE-2017-2270 |
|
| JVN iPedia |
JVNDB-2017-000172 |