Japan Vulnerability NotesJVN:59624986JVN#59624986: Multiple vulnerabilities in INplc
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.6%
INplc provided by MICRONET CORPORATION contains multiple vulnerabilities listed below.
DLL preloading vulnerability (CWE-427) - CVE-CVE-2018-0667
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | Base Score: 7.8 |
| CVSS v2 | AV:N/AC:M/AU:N/C:P/I:P/A:P | Base Score: 6.8 |
Buffer overflow (CWE-119) - CVE-2018-0668
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Base Score: 9.8 |
| CVSS v2 | AV:N/AC:L/AU:N/C:P/I:P/A:P | Base Score: 7.5 |
Authentication bypass (CWE-287) - CVE-2018-0669
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Base Score: 9.8 |
| CVSS v2 | AV:N/AC:L/AU:N/C:P/I:P/A:P | Base Score: 7.5 |
Authentication bypass (CWE-287) - CVE-2018-0670
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Base Score: 9.8 |
| CVSS v2 | AV:N/AC:L/AU:N/C:P/I:P/A:P | Base Score: 7.5 |
Privilege escalation - CVE-2018-0671
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | Base Score: 8.8 |
| CVSS v2 | AV:L/AC:M/AU:S/C:P/I:P/A:P | Base Score: 4.1 |
Impact
- Arbitrary code may be executed with the privilege of the user invoking the installer - CVE-2018-0667
- A remote attacker may be able to cause a denial-of-service (DoS) condition or may execute arbitrary code - CVE-2018-0668
- A remote attacker may execute an arbitrary command through the traffic based on the protocol - CVE-2018-0669, CVE-2018-0670
- An attacker may execute arbitrary code with the administrative privilege on the Windows system which the product is installed on - CVE-2018-0671
Solution
Use the latest installer - CVE-2018-0667
Use the latest installer according to the information provided by the developer.
Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides.
Note that this vulnerability affects the installer only, thus users who have already installed INplc do not need to re-install the software.
Update the software - CVE-2018-0668, CVE-2018-0669, CVE-2018-0670, CVE-2018-0671
Update to the latest version according to the information provided by the developer.
Products Affected
- Installer of INplc SDK Express 3.08 and earlier (CVE-2018-0667)
- Installer of INplc SDK Pro+ 3.08 and earlier (CVE-2018-0667)
- INplc-RT 3.08 and earlier (CVE-2018-0668, CVE-2018-0669, CVE-2018-0670, CVE-2018-0671)
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.6%