Sign-up

ID

VAR-201708-0799


CVE

CVE-2017-2286


TITLE

Installers of Sony PaSoRi related software may insecurely load Dynamic Link Libraries

Trust: 0.8

sources: JVNDB: JVNDB-2017-000189

DESCRIPTION

Untrusted search path vulnerability in NFC Port Software Version 5.5.0.6 and earlier (for RC-S310, RC-S320, RC-S330, RC-S370, RC-S380, RC-S380/S), NFC Port Software Version 5.3.6.7 and earlier (for RC-S320, RC-S310/J1C, RC-S310/ED4C), PC/SC Activator for Type B Ver.1.2.1.0 and earlier, SFCard Viewer 2 Ver.2.5.0.0 and earlier, NFC Net Installer Ver.1.1.0.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. PaSoRi provided by Sony Corporation is contactless IC card reader/writer. Installers of PaSoRi driver and other related software for Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Arbitrary code may be executed with the privilege of the user invoking the installer. Sony NFC Port Software, etc. are all products of Sony Corporation of Japan. Sony NFC Port Software is a set of NFC interface software. PC/SC Activator for Type B is a Type B interface support software. An untrusted search path vulnerability exists in several Sony products. A remote attacker can exploit this vulnerability to obtain permissions with the help of malicious DLLs in the directory

Trust: 1.71

sources: NVD: CVE-2017-2286 // JVNDB: JVNDB-2017-000189 // VULHUB: VHN-110489

AFFECTED PRODUCTS

vendor:sonymodel:sfcard viewer 2scope:eqversion:2.5.0.0

Trust: 1.6

vendor:sonymodel:nfc net installerscope:lteversion:1.1.0.0

Trust: 1.0

vendor:sonymodel:pc\/sc activator for type bscope:lteversion:1.2.1.0

Trust: 1.0

vendor:sonymodel:nfc portscope:lteversion:5.3.6.7

Trust: 1.0

vendor:sonymodel:nfc portscope:lteversion:5.5.0.6

Trust: 1.0

vendor:sonymodel:nfc net installerscope:lteversion:ver.1.1.0.0

Trust: 0.8

vendor:sonymodel:nfc port softwarescope:lteversion:version 5.3.6.7 products: rc-s320, rc-s310/j1c, rc-s310/ed4c

Trust: 0.8

vendor:sonymodel:nfc port softwarescope:lteversion:version 5.5.0.6 products: rc-s310, rc-s320, rc-s330, rc-s370, rc-s380, rc-s380/s

Trust: 0.8

vendor:sonymodel:pc/sc activator for type bscope:lteversion:ver.1.2.1.0

Trust: 0.8

vendor:sonymodel:sfcard viewer 2scope:lteversion:ver.2.5.0.0

Trust: 0.8

vendor:sonymodel:nfc portscope:eqversion:5.3.6.7

Trust: 0.6

vendor:sonymodel:pc\/sc activator for type bscope:eqversion:1.2.1.0

Trust: 0.6

vendor:sonymodel:nfc net installerscope:eqversion:1.1.0.0

Trust: 0.6

vendor:sonymodel:nfc portscope:eqversion:5.5.0.6

Trust: 0.6

sources: JVNDB: JVNDB-2017-000189 // CNNVD: CNNVD-201708-078 // NVD: CVE-2017-2286

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2286
value: HIGH

Trust: 1.0

IPA: JVNDB-2017-000189
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201708-078
value: CRITICAL

Trust: 0.6

VULHUB: VHN-110489
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-2286
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2017-000189
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-110489
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2286
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.0

IPA: JVNDB-2017-000189
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-110489 // JVNDB: JVNDB-2017-000189 // CNNVD: CNNVD-201708-078 // NVD: CVE-2017-2286

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-110489 // JVNDB: JVNDB-2017-000189 // NVD: CVE-2017-2286

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-078

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201708-078

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-000189

PATCH
title:New installer with security fixes for users of the USB NFC reader for Windowsurl:https://www.sony.net/Products/felica/business/information/170725.html
Trust: 0.8
title:Multiple Sony Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75599
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-000189 // 
            
            
            
            CNNVD: CNNVD-201708-078

EXTERNAL IDS
db:NVDid:CVE-2017-2286
Trust: 2.5
db:JVNid:JVN16136413
Trust: 2.5
db:JVNDBid:JVNDB-2017-000189
Trust: 0.8
db:CNNVDid:CNNVD-201708-078
Trust: 0.7
db:VULHUBid:VHN-110489
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110489 // 
            
            
            
            JVNDB: JVNDB-2017-000189 // 
            
            
            
            CNNVD: CNNVD-201708-078 // 
            
            
            
            NVD: CVE-2017-2286

REFERENCES
url:https://jvn.jp/en/jp/jvn16136413/index.html
Trust: 2.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2286
Trust: 0.8
url:http://jvn.jp/en/ta/jvnta91240916/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2286
Trust: 0.8
sources:
            
            
            VULHUB: VHN-110489 // 
            
            
            
            JVNDB: JVNDB-2017-000189 // 
            
            
            
            CNNVD: CNNVD-201708-078 // 
            
            
            
            NVD: CVE-2017-2286

SOURCES
db:VULHUBid:VHN-110489
db:JVNDBid:JVNDB-2017-000189
db:CNNVDid:CNNVD-201708-078
db:NVDid:CVE-2017-2286

LAST UPDATE DATE
2025-04-20T23:15:59.742000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-110489date:2017-08-23T00:00:00
db:JVNDBid:JVNDB-2017-000189date:2018-01-24T00:00:00
db:CNNVDid:CNNVD-201708-078date:2017-10-26T00:00:00
db:NVDid:CVE-2017-2286date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-110489date:2017-08-02T00:00:00
db:JVNDBid:JVNDB-2017-000189date:2017-07-27T00:00:00
db:CNNVDid:CNNVD-201708-078date:2017-08-02T00:00:00
db:NVDid:CVE-2017-2286date:2017-08-02T16:29:00.597