Sign-up

ID

VAR-201710-0200


CVE

CVE-2017-10863


TITLE

HIBUN Confidential File Decryption program may insecurely load Dynamic Link Libraries

Trust: 0.8

sources: JVNDB: JVNDB-2017-000227

DESCRIPTION

Untrusted search path vulnerability in HIBUN Confidential File Decryption program prior to 10.50.0.5 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. Note this is a separate vulnerability from CVE-2017-10865. HIBUN Confidential File Decryption program provided by Hitachi Solutions, Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Arbitrary code may be executed with the privileges of the user running HIBUN Confidential File Decryption program. Attackers can use this vulnerability to gain permissions with the help of malicious DLLs in the directory

Trust: 2.16

sources: NVD: CVE-2017-10863 // JVNDB: JVNDB-2017-000227 // CNVD: CNVD-2017-30833

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-30833

AFFECTED PRODUCTS

vendor:hitachimodel:confidential file decryptionscope:eqversion: -

Trust: 1.6

vendor:hitachimodel:hibun confidential file decryption programscope:eqversion:prior to version 10.50.0.5

Trust: 0.8

vendor:hitachimodel:hibun confidential file decryption programscope:ltversion:10.50.0.5

Trust: 0.6

sources: CNVD: CNVD-2017-30833 // JVNDB: JVNDB-2017-000227 // CNNVD: CNNVD-201710-260 // NVD: CVE-2017-10863

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-10863
value: HIGH

Trust: 1.0

IPA: JVNDB-2017-000227
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-30833
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201710-260
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2017-10863
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2017-000227
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2017-30833
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2017-10863
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.0

IPA: JVNDB-2017-000227
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2017-30833 // JVNDB: JVNDB-2017-000227 // CNNVD: CNNVD-201710-260 // NVD: CVE-2017-10863

PROBLEMTYPE DATA

problemtype:CWE-426

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2017-000227 // NVD: CVE-2017-10863

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-260

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201710-260

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-000227

PATCH
title:HIBUN Insecure DLL Loading Vulnerablityurl:http://www.hitachi-solutions.co.jp/hibun/sp/support/importance/20170929.html
Trust: 0.8
title:Patch for Hitachi HIBUN Confidential File Decryption program untrusted search path vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/104224
Trust: 0.6
title:Hitachi HIBUN Confidential File Decryption Fixes for program security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75410
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-30833 // 
            
            
            
            JVNDB: JVNDB-2017-000227 // 
            
            
            
            CNNVD: CNNVD-201710-260

EXTERNAL IDS
db:NVDid:CVE-2017-10863
Trust: 3.0
db:JVNid:JVN58909026
Trust: 3.0
db:JVNDBid:JVNDB-2017-000227
Trust: 0.8
db:CNVDid:CNVD-2017-30833
Trust: 0.6
db:CNNVDid:CNNVD-201710-260
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-30833 // 
            
            
            
            JVNDB: JVNDB-2017-000227 // 
            
            
            
            CNNVD: CNNVD-201710-260 // 
            
            
            
            NVD: CVE-2017-10863

REFERENCES
url:https://jvn.jp/en/jp/jvn58909026/index.html
Trust: 2.4
url:http://www.hitachi-solutions.co.jp/hibun/sp/support/importance/20170929.html
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-10863
Trust: 0.8
url:http://jvn.jp/en/ta/jvnta91240916/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-10863
Trust: 0.8
url:http://jvn.jp/en/jp/jvn58909026/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-30833 // 
            
            
            
            JVNDB: JVNDB-2017-000227 // 
            
            
            
            CNNVD: CNNVD-201710-260 // 
            
            
            
            NVD: CVE-2017-10863

SOURCES
db:CNVDid:CNVD-2017-30833
db:JVNDBid:JVNDB-2017-000227
db:CNNVDid:CNNVD-201710-260
db:NVDid:CVE-2017-10863

LAST UPDATE DATE
2025-04-20T23:42:05.839000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-30833date:2017-10-20T00:00:00
db:JVNDBid:JVNDB-2017-000227date:2018-03-07T00:00:00
db:CNNVDid:CNNVD-201710-260date:2017-10-13T00:00:00
db:NVDid:CVE-2017-10863date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-30833date:2017-10-20T00:00:00
db:JVNDBid:JVNDB-2017-000227date:2017-10-11T00:00:00
db:CNNVDid:CNNVD-201710-260date:2017-10-13T00:00:00
db:NVDid:CVE-2017-10863date:2017-10-12T14:29:00.293