Published:2022/04/22  Last Updated:2022/04/22

JVN#54857505
Hammock AssetView missing authentication for critical functions

Overview

AssetView provided by Hammock Corporation misses authentication for some critical functions on the managing server.

Products Affected

  • AssetView prior to Ver.13.2.0
According to the developer, AssetView CLOUD is not affected by this vulnerability.

Description

AssetView provided by Hammock Corporation misses authentication for some critical functions (CWE-306) on the managing server.

Impact

With some knowledge on the system configuration, a remote attacker may upload a crafted configuration file to the managing server, which results in the managed clients to execute arbitrary code with the administrative privilege.

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released a patch listed below that contains a fix for this vulnerability.

  • AssetView Server Communication module Hotfix
According to the developer, patch for the versions prior to Ver.11.0.0 will not be released as the versions are no longer supported.
Therefore, update to Ver.11.0.0 or later, and then apply the patch.

For more information, refer to the information provided by the developer (Text in Japanese).

Vendor Status

Vendor Link
Hammock Corporation JVN#54857505 : AssetView Server Communication Module of Vulnerability (Text in Japanese)
AssetView Server Communication Module Hotfix (JVN#54857505) (Text in Japanese, login required)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Base Score: 9.0
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:C/I:C/A:C
Base Score: 9.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Denis Faiustov, Ruslan Sayfiev of GMO Cyber Security by IERAE reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-28719
JVN iPedia JVNDB-2022-000027