JVN#57749899
The installer of e-Tax software(common program) vulnerable to privilege escalation
Overview
The installer of e-Tax software(common program) provided by National Tax Agency (NTA) contains a privilege escalation vulnerability.
Products Affected
- The installer of e-Tax software(common program) all versions distributed on the NTA website before 2024 September 24
Description
The installer of e-Tax software(common program) provided by National Tax Agency contains a vulnerability which allows uploading a malicious DLL to be executed with higher privileges than that of an general user by altering registry (CWE-268).
Impact
A malicious DLL prepared by an attacker may be executed with higher privileges than the application privilege.
Solution
Use the latest installer
Use the latest installer provided by the developer.
Vendor Status
| Vendor | Link |
| National Tax Agency | Request for version upgrade of e-Tax software provided by National Tax Agency (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-47045 |
| JVN iPedia |
JVNDB-2024-000103 |