JVN#13467854: Toshiba Electronic Devices & Storage software registers unquoted service paths

Some of Toshiba Electronic Devices & Storage software registers Windows services with unquoted file paths (CWE-428).

Impact

When a registered path contains spaces, and a malicious executable is placed on a certain path, it may be executed with the privilege of the Windows service.

Solution

The developer released the update that contains a fix for this vulnerability on 2020 April 28.

Uninstall and/or update HDD Password tool (for Windows) version 1.20.6620
Unintall HDD Password tool (for Windows) version 1.20.6620 and/or update it to the latest version if you continue using it according to the information provided by the developer.
Uninstalling or applying the update will delete/fix the registration of improper Windows services.

How to uninstall:

• Delete the password if it is set before uninstalling HDD Password tool (for Windows) version 1.20.6620 and earlier

• Uninstall the affected software from the PC if installed

• Delete the installer of the affected software
  How to update：

• Update the software to the latest version
  For more information, refer to the information provided by the developer.

Products Affected

HDD Password tool (for Windows) version 1.20.6620 and earlier which are stored in the devices listed below and were downloaded before 2020 May 10 are affected:

• CANVIO PREMIUM 3TB

  • HD-MB30TY
  • HD-MA30TY
  • HD-MB30TS
  • HD-MA30TS

• CANVIO PREMIUM 2TB

  • HD-MB20TY
  • HD-MA20TY
  • HD-MB20TS
  • HD-MA20TS

• CANVIO PREMIUM 1TB

  • HD-MB10TY
  • HD-MA10TY
  • HD-MB10TS
  • HD-MA10TS

• CANVIO SLIM 1TB

  • HD-SB10TK
  • HD-SB10TS

• CANVIO SLIM 500GB

  • HD-SB50GK
  • HD-SA50GK
  • HD-SB50GS
  • HD-SA50GS