JVNVU#97943829
Brother iPrint&Scan Desktop for Windows vulnerable to improper link resolution before file access
Overview
Brother iPrint&Scan Desktop for Windows contains an link following vulnerability.
Products Affected
- iPrint&Scan Desktop for Windows versions 11.0.0 and earlier
Description
iPrint&Scan Desktop for Windows provided by Brother Industries, Ltd. outputs logs to a certain log file.
The affected version of the product does not check whether the log file is a normal file or a symbolic link to a certain file (CWE-59).
Impact
Symlink attack by a malicious user may cause a Denial-of-service (DoS) condition on the PC.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer addressed the vulnerability in the following version.
- iPrint&Scan Desktop for Windows version 11.0.1
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Brother Industries, Ltd. | Vulnerable | 2024/02/01 | Brother Industries, Ltd. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Chris Au reported this vulnerability to Brother Industries, Ltd. and coordinated. Brother Industries, Ltd. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-51654 |
| JVN iPedia |
|
Update History
- 2023/12/22
- Brother Industries, Ltd. update status
- 2024/02/01
- Brother Industries, Ltd. update status