JVN#54451757
Multiple vulnerabilities in SKYSEA Client View
Overview
SKYSEA Client View provided by Sky Co.,LTD. contains multiple vulnerabilities.
Products Affected
CVE-2024-21805
- SKYSEA Client View versions from Ver.16.100 prior to Ver.19.3
When this advisory was first published on March 3, 2024, the range of the affected versions were described as "from Ver.16.100 prior to Ver.19.2". After that, Ver.19.3 was released with further updates.
CVE-2024-24964
- SKYSEA Client View versions from Ver.11.220 prior to Ver.19.2
Description
SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool.
SKYSEA Client View contains multiple vulnerabilities listed below.
- Improper access control in the specific folder (CWE-276) - CVE-2024-21805
Assuming an attack scenario in which a logged-in attacker with some non-administrative privilege puts a crafted DLL file in a specific folder, "Integrity (I)" is treated as the primary impact, whereas "Confidentiality (C)" and "Availability (A)" are treated as secondary. In addition, if the vulnerability evaluate including secondary impact, the evaluation of "Confidentiality Impact(C)", "Integrity Impact(I)", and "Availability Impact(A)" are "High (H)".CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 3.3 CVSS v2 AV:L/AC:L/Au:S/C:N/I:P/A:N Base Score: 1.7 - Improper access control in the resident process (CWE-749) - CVE-2024-24964
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8 CVSS v2 AV:L/AC:L/Au:S/C:P/I:P/A:P Base Score: 4.3
Impact
- An arbitrary file may be placed in the specific folder by a user who can log in to the PC where the product's Windows client is installed. In case the file is a specially crafted DLL file, arbitrary code may be executed with
SYSTEMprivilege - CVE-2024-21805 - An arbitrary process may be executed with
SYSTEMprivilege by a user who can log in to the PC where the product's Windows client is installed - CVE-2024-24964
Solution
For CVE-2024-21805
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released SKYSEA Client View Ver.19.3 that addresses these vulnerabilities.
Apply the patch
For SKYSEA Client View Ver.17.0 to Ver.19.2, the developer has released the patches fixing these vulnerabilities.
For more details, refer to the information provided by the developer.
【2024/7/29 Update】
When this advisory was first published on March 3, 2024, the range of the affected versions were described as "Ver.16.100 prior to Ver.19.2". After that, Ver.19.3 was released with futher modification.
For CVE-2024-24964
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released SKYSEA Client View Ver.19.2 that addresses these vulnerabilities.
Apply the patch
For SKYSEA Client View Ver.17.0 to Ver.19.101, the developer has released the patches fixing these vulnerabilities.
For more details, refer to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
CVE-2024-21805
Ken Kitahara of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-24964
Ruslan Sayfiev, and Denis Faiustov of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Sky Co.,LTD. and coordinated. Sky Co.,LTD. and JPCERT/CC published respective advisories in order to notify users of the solutions through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-21805 |
|
CVE-2024-24964 |
|
| JVN iPedia |
JVNDB-2024-000028 |
Update History
- 2024/07/29
- Information under the section [Products Affected], [Description], and [Solution] was updated