Japan Vulnerability NotesJVN:09769017JVN#09769017: Multiple Fuji Xerox products may insecurely load Dynamic Link Libraries
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
27.2%
Installers of multiple products, and DocuWorks self-extracting documents provided by Fuji Xerox Co.,Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Impact
- Arbitrary code may be executed with the privilege of the administrative user invoking the installer - CVE-2017-10848, CVE-2017-10850, CVE-2017-10851
- Arbitrary code may be executed with the privilege of the user invoking the self-extracting document generated by DocuWorks - CVE-2017-10849
Solution
CVE-2017-10848, CVE-2017-10850, CVE-2017-10851 Use the latest installer
Use the latest installer according to the information provided by the developer.
CVE-2017-10849 Update the Software
Update to the latest version according to the information provided by the developer.
Apply a Workaround
The self-extracting document generator function is not included in the latest version of the software.
When invoking the DocuWorks self-extracting document file, place the document (.exe) file in a newly created empty folder.
For more information, refer to the information provided by the developer.
Products Affected
CVE-2017-10848
-
Installer for DocuWorks 8.0.7 and earlier
-
Installer for DocuWorks Viewer Light published in Jul 2017 and earlier
CVE-2017-10849 -
Self-extracting document generated by DocuWorks 8.0.7 and earlier
CVE-2017-10850 -
Installer of ART EX Driver for ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271, DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 (Timestamp of code signing is before 12 Apr 2017 02:04 UTC.)
-
Installer of PostScriptยฎ Driver + Additional Feature Plug-in + PPD File for ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271, DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 (Timestamp of code signing is before 12 Apr 2017 02:10 UTC.)
-
Installer of XPS Print Driver for ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271, DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 (Timestamp of code signing is before 3 Nov 2017 23:48 UTC.)
-
Installer of ART EX Direct FAX Driver for ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271, DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 (Timestamp of code signing is before 26 May 2017 07:44 UTC.)
-
Installer of Setting Restore Tool for ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271, DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 (Timestamp of code signing is before 25 Aug 2015 08:51 UTC.)
CVE-2017-10851 -
Installer for ContentsBridge Utility for Windows 7.4.0 and earlier
Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
27.2%