JVN#00442488: Multiple vulnerabilities in Ricoh Streamline NX PC Client

Ricoh Streamline NX PC Client provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below.

Improper restriction of communication channel to intended endpoints (CWE-923) CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score 6.3 CVE-2024-36252 ricoh-2024-000004Use of hard-coded credentials (CWE-798)CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 5.1 CVE-2024-36480 ricoh-2024-000005Use of potentially dangerous function (CWE-676)CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 4.0 CVE-2024-37124 ricoh-2024-000006Use of potentially dangerous function (CWE-676) CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 4.0 CVE-2024-37387 ricoh-2024-000007

Impact

• Arbitrary code may be executed on the PC where the product is installed (CVE-2024-36252)
• An attacker may obtain LocalSystem Account of the PC where the product is installed. As a result, unintended operations may be performed on the PC. (CVE-2024-36480)
• An attacker may create an arbitrary file in the PC where the product is installed (CVE-2024-37124)
• Files in the PC where the product is installed may be altered (CVE-2024-37387)

Solution

Update the Software
Update the software to the latest version by using the appropriate installer for the fixed version according to the information provided by the developer.
For more information, refer to the information provided by the developer.

Products Affected

CVE-2024-36252

• Ricoh Streamline NX PC Client ver.3.6.x and earlier
  CVE-2024-36480

• Ricoh Streamline NX PC Client ver.3.7.2 and earlier
  CVE-2024-37124, CVE-2024-37387

• Ricoh Streamline NX PC Client ver.3.2.1.19, ver.3.3.1.3, ver.3.3.2.201, ver.3.4.3.1, ver.3.5.1.201 (ver.3.5.1.200op1), ver.3.6.100.53, and ver.3.6.2.1