JVNVU#91587298
Multiple vulnerabilities in MaLion
Overview
MaLion provided by Intercom, Inc. contains multiple vulnerabilities.
Products Affected
Affected versions and conditions of use vary depending on respective vulnerabilities.
For details, refer to the information provided by the developers.
・CVE-2017-10815
MaLion for Windows 5.2.1 and earlier (only when "Remote Control" is installed)
MaLion for Mac 4.0.1 to 5.2.1 (only when "Remote Control" is installed)
・CVE-2017-10816, CVE-2017-10817
MaLion for Windows and Mac 5.0.0 to 5.2.1
・CVE-2017-10818
MaLion for Windows and Mac 3.2.1 to 5.2.1
・CVE-2017-10819
MaLion for Mac 4.3.0 to 5.2.1
Description
MaLion provided by Intercom, Inc. is enterprise IT asset management software. MaLion contains multiple vulnerabilities listed below.
- Incorrect Authentication in Terminal Agent (CWE-863) - CVE-2017-10815
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8 CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0 - SQL injection in Relay Service Server (CWE-89) - CVE-2017-10816
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8 CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0 - Missing Authorization in Relay Service Server (CWE-862) - CVE-2017-10817
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Base Score: 9.8 CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0 - Use of Hard-coded Cryptographic Key (CWE-321) - CVE-2017-10818
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 4.8 CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:N Base Score: 5.8 - Improper Certificate Validation in Relay Service Server (CWE-295) - CVE-2017-10819
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 4.8 CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N Base Score: 4.0
Impact
A possible impact of each vulnerability is as follows.
- A remote unauthenticated attacker may execute an arbitrary command or conduct arbitrary operations on Terminal Agent - CVE-2017-10815
- A remote unauthenticated attacker may execute an arbitrary SQL query or alter settings on Relay Service Server - CVE-2017-10816, CVE-2017-10817
- Connection settings of Terminal Agent may be altered by an unauthenticated attacker who successfully obtained a key for encryption and spoof as a Relay Service - CVE-2017-10818
- A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication - CVE-2017-10819
Solution
Update the Software
Apply the appropriate update according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Intercom, Inc. | MaLion Club|Intercom, Inc. |
| About vulnerabilities in MaLion series |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Muneaki Nishimura of of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2017-10815 |
|
CVE-2017-10816 |
|
|
CVE-2017-10817 |
|
|
CVE-2017-10818 |
|
|
CVE-2017-10819 |
|
| JVN iPedia |
|
Update History
- 2017/08/04
- Information under [Products Affected] and [Impact] was corrected.