Published:2016/05/19  Last Updated:2016/11/18

JVNVU#97339542
SaAT Netizen fails to properly verify downloaded installation and update files

Overview

SaAT Netizen contains a vulnerability where files downloaded for installation or an update are not properly verified.

Products Affected

  • SaAT Netizen installer ver.1.2.0.424 and earlier
  • SaAT Netizen ver.1.2.0.8 (Build427) and earlier

Description

The SaAT Netizen installer and SaAT Netizen contain a vulnerability where downloaded files are not properly verified during the installation or update process.

Impact

A successful man-in-the-middle attack may result in a specially crafted file prepared by an attacker being downloaded and executed.

Solution

SaAT Netizen will be automatically updated to the updated version that addresses this vulnerability after rebooting the PC.
The developer has released an updated version of the SaAT Netizen installer that addresses this vulnerbaility.

Re-install the software
If running an affected version of SaAT Netizen, uninstall that version and re-install SaAT Netizen using the newest available version of the installer.

Vendor Status

Vendor Status Last Update Vendor Notes
NetMove Corporation Vulnerable 2016/05/19 NetMove Corporation website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score: 5.6
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

This analysis assumes that a man-in-the-middle attack results in arbitrary data being sent to the product.

Credit

PinkFlyingWhale 黒翼猫 (BlackWingCat) reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-1203
JVN iPedia

Update History

2016/11/18
Information under the section "Credit" was modified.