Published:2020/05/11  Last Updated:2020/05/13

JVN#61849442
PALLET CONTROL vulnerable to arbitrary code execution

Overview

PALLET CONTROL contains an arbitrary code execution vulnerability.

Products Affected

  • PALLET CONTROL Ver. 6.3 and earlier
According to the developer, PalletControl 7 to 9.1 are not affected by this vulnerability. However under the environment where PLS Management Add-on Module is used, all versions are affected.

Description

PALLET CONTROL provided by JAL Information Technology Co., Ltd. is IT asset management software. PALLET CONTROL contains an arbitrary code execution vulnerability due to improper file access permission (CWE-284).

Impact

A user who can login to the computer where the vulnerable product is installed may execute arbitrary code with SYSTEM privilege.

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.

According to the developer, users of PALLET CONTROL Ver. 6.2 and earlier must first update PALLET CONTROL to Ver. 6.3 and then apply the patch.

Vendor Status

Vendor Status Last Update Vendor Notes
JAL Information Technology Co., Ltd. Vulnerable 2020/05/11 JAL Information Technology Co., Ltd. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 7.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:L/Au:S/C:C/I:C/A:C
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Yoshimasa Obana reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5538
JVN iPedia JVNDB-2020-000029

Update History

2020/05/13
Fixed CVSS v2 scores