Published:2016/08/31  Last Updated:2016/08/31

JVN#85213412
Multiple AKABEi SOFT2 LTD. games vulnerable to OS command injection

Overview

Multiple games provided by AKABEi SOFT2 LTD. contain an OS command injection vulnerability.

Products Affected

A wide range of products is affected. For more information, refer to the vendor's statement in the "Vendor Status" section of this advisory.

Description

Multiple games provided by AKABEi SOFT2 LTD. contain an OS command injection vulnerability (CWE-78) due to an issue in loading saved data.

Impact

When specially crafted saved data is loaded, an arbitrary OS command may be executed.

Solution

Apply a Workaround
The following workaround can mitigate the impact of this vulnerability.

  • Do not load saved data provided by an untrusted source.

Vendor Status

Vendor Status Last Update Vendor Notes
AKABEi SOFT2 LTD. Vulnerable 2016/08/31

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

This analysis assumes that the user is tricked into loading malicious saved data.

Credit

Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-4853
JVN iPedia JVNDB-2016-000154