JVN#51274854: Multiple software for Sharp IC Card Reader/Writer Devices may insecurely load Dynamic Link Libraries

2017-06-01T00:00:00
ID JVN:51274854
Type jvn
Reporter Japan Vulnerability Notes
Modified 2017-08-23T00:00:00

Description

## Description

The tool to verify execution environment and the driver installer for IC Card Reader/Writer devices provided by Sharp Corporation contain an issue with the DLL search path, which may lead to insecurely load Dynamic Link Libraries (CWE-427).

## Impact

Arbitrary code may be executed with the privilege of the user invoking the tool or the installer.

## Solution

Use the latest installer
Use the latest installer according to the information provided by the developer.
The following versions address the issue.

  • RW-4040 driver installer for Windows 7 version 2.2.7.1 (RW40Inst.exe)
  • RW-5100 driver installer for Windows 7 version 1.2.0.0 (RW51Inst.exe)
  • RW-5100 driver installer for Windows 8.1 version 1.2.0.0 (RW51Inst.exe)

Users who already have installed the driver software do not need to re-install the software, because this issue affects the installers only.

Use the latest version of the tool to verify execution environment
Use the latest version of the tool according to the information provided by the developer.
The following versions address the issue.

  • RW-4040 tool to verify execution environment for Windows 7 version 1.3.0.0 (RW4040Test_win7.exe)
  • RW-5100 tool to verify execution environment for Windows 7 version 1.2.0.0 (RW5100Test_win7.exe)
  • RW-5100 tool to verify execution environment for Windows 8.1 version 1.2.1.0 (RW5100Test_win8.1.exe)

## Products Affected

  • RW-4040 driver installer for Windows 7 version 2.27A (RW4040V2.27_A_win7V.exe) and earlier - CVE-2017-2189
  • RW-5100 driver installer for Windows 7 version 1.0.0.9A (RW5100V1.0.0.9_A_win.exe) and earlier - CVE-2017-2191
  • RW-5100 driver installer for Windows 8.1 version 1.0.1.0A (RW5100V1.0.1.0_A_win8.exe) and earlier - CVE-2017-2191
  • RW-4040 tool to verify execution environment for Windows 7 version 1.2.0.0A (RW4040Test_A_win7V.exe) and earlier - CVE-2017-2190
  • RW-5100 tool to verify execution environment for Windows 7 version 1.1.0.0A (RW5100Test_A_win7.exe) and earlier - CVE-2017-2192
  • RW-5100 tool to verify execution environment for Windows 8.1 version 1.2.0.0A (RW5100Test_A_win8.exe) and earlier - CVE-2017-2192