Published:2018/09/07  Last Updated:2018/11/09

JVN#59624986
Multiple vulnerabilities in INplc

Overview

INplc provided by MICRONET CORPORATION contains multiple vulnerabilities.

Products Affected

  • Installer of INplc SDK Express 3.08 and earlier (CVE-2018-0667)
  • Installer of INplc SDK Pro+ 3.08 and earlier (CVE-2018-0667)
  • INplc-RT 3.08 and earlier (CVE-2018-0668, CVE-2018-0669, CVE-2018-0670, CVE-2018-0671)

Description

INplc provided by MICRONET CORPORATION contains multiple vulnerabilities listed below.

  • DLL preloading vulnerability (CWE-427) - CVE-CVE-2018-0667
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
    CVSS v2 AV:N/AC:M/AU:N/C:P/I:P/A:P Base Score: 6.8
  • Buffer overflow (CWE-119) - CVE-2018-0668
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/AU:N/C:P/I:P/A:P Base Score: 7.5
  • Authentication bypass (CWE-287) - CVE-2018-0669
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/AU:N/C:P/I:P/A:P Base Score: 7.5
  • Authentication bypass (CWE-287) - CVE-2018-0670
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/AU:N/C:P/I:P/A:P Base Score: 7.5
  • Privilege escalation - CVE-2018-0671
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Base Score: 8.8
    CVSS v2 AV:L/AC:M/AU:S/C:P/I:P/A:P Base Score: 4.1

Impact

  • Arbitrary code may be executed with the privilege of the user invoking the installer - CVE-2018-0667
  • A remote attacker may be able to cause a denial-of-service (DoS) condition or may execute arbitrary code - CVE-2018-0668
  • A remote attacker may execute an arbitrary command through the traffic based on the protocol - CVE-2018-0669, CVE-2018-0670
  • An attacker may execute arbitrary code with the administrative privilege on the Windows system which the product is installed on - CVE-2018-0671

Solution

Use the latest installer - CVE-2018-0667
Use the latest installer according to the information provided by the developer.
Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides.

Note that this vulnerability affects the installer only, thus users who have already installed INplc do not need to re-install the software.

Update the software - CVE-2018-0668, CVE-2018-0669, CVE-2018-0670, CVE-2018-0671
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
MICRONET CORPORATION Vulnerable 2018/09/07 MICRONET CORPORATION website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Kotatsu Shiraki of University of Tokyo/NEC reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-0667
CVE-2018-0668
CVE-2018-0669
CVE-2018-0670
CVE-2018-0671
JVN iPedia JVNDB-2018-000092

Update History

2018/11/09
Fixed the CVSS scores and the description under [Impact] of CVE-2018-0671
2018/11/09
Fixed spelling error under "Impact"