Sign-up

ID

VAR-201710-0201


CVE

CVE-2017-10864


TITLE

Installer of HIBUN Confidential File Viewer may insecurely load Dynamic Link Libraries and invoke executable files

Trust: 0.8

sources: JVNDB: JVNDB-2017-000228

DESCRIPTION

Untrusted search path vulnerability in Installer of HIBUN Confidential File Viewer prior to 11.20.0001 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. Installer of HIBUN Confidential File Viewer provided by Hitachi Solutions, Ltd. contains an issue with the search path for DLL/executable files, which may lead to insecurely loading Dynamic Link Libraries and invoking executable files (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Arbitrary code may be executed with the privilege of the user invoking the installer. install is one of them. Attackers can use this vulnerability to gain permissions with the help of malicious DLLs in the directory

Trust: 2.16

sources: NVD: CVE-2017-10864 // JVNDB: JVNDB-2017-000228 // CNVD: CNVD-2017-30834

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-30834

AFFECTED PRODUCTS

vendor:hitachimodel:confidential file viewerscope:eqversion: -

Trust: 1.6

vendor:hitachimodel:hibun confidential file viewerscope:eqversion:prior to version 11.20.0001

Trust: 0.8

vendor:hitachimodel:hibun confidential file viewerscope:ltversion:11.20.0001

Trust: 0.6

sources: CNVD: CNVD-2017-30834 // JVNDB: JVNDB-2017-000228 // CNNVD: CNNVD-201710-259 // NVD: CVE-2017-10864

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-10864
value: HIGH

Trust: 1.0

IPA: JVNDB-2017-000228
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-30834
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201710-259
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2017-10864
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2017-000228
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2017-30834
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2017-10864
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.0

IPA: JVNDB-2017-000228
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2017-30834 // JVNDB: JVNDB-2017-000228 // CNNVD: CNNVD-201710-259 // NVD: CVE-2017-10864

PROBLEMTYPE DATA

problemtype:CWE-426

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2017-000228 // NVD: CVE-2017-10864

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-259

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201710-259

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-000228

PATCH
title:HIBUN Insecure DLL Loading Vulnerablityurl:http://www.hitachi-solutions.co.jp/hibun/sp/support/importance/20170929.html
Trust: 0.8
title:Patch for Hitachi HIBUN Confidential File Viewer Installer Untrusted Search Path Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/104225
Trust: 0.6
title:Hitachi HIBUN Confidential File Viewer Fixes for installer security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75409
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-30834 // 
            
            
            
            JVNDB: JVNDB-2017-000228 // 
            
            
            
            CNNVD: CNNVD-201710-259

EXTERNAL IDS
db:JVNid:JVN94056834
Trust: 3.0
db:NVDid:CVE-2017-10864
Trust: 3.0
db:JVNDBid:JVNDB-2017-000228
Trust: 0.8
db:CNVDid:CNVD-2017-30834
Trust: 0.6
db:CNNVDid:CNNVD-201710-259
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-30834 // 
            
            
            
            JVNDB: JVNDB-2017-000228 // 
            
            
            
            CNNVD: CNNVD-201710-259 // 
            
            
            
            NVD: CVE-2017-10864

REFERENCES
url:https://jvn.jp/en/jp/jvn94056834/index.html
Trust: 2.4
url:http://www.hitachi-solutions.co.jp/hibun/sp/support/importance/20170929.html
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-10864
Trust: 0.8
url:https://jvn.jp/en/ta/jvnta91240916/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-10864
Trust: 0.8
url:http://jvn.jp/en/jp/jvn94056834/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-30834 // 
            
            
            
            JVNDB: JVNDB-2017-000228 // 
            
            
            
            CNNVD: CNNVD-201710-259 // 
            
            
            
            NVD: CVE-2017-10864

SOURCES
db:CNVDid:CNVD-2017-30834
db:JVNDBid:JVNDB-2017-000228
db:CNNVDid:CNNVD-201710-259
db:NVDid:CVE-2017-10864

LAST UPDATE DATE
2025-04-20T23:34:17.874000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-30834date:2017-10-20T00:00:00
db:JVNDBid:JVNDB-2017-000228date:2018-03-07T00:00:00
db:CNNVDid:CNNVD-201710-259date:2017-10-13T00:00:00
db:NVDid:CVE-2017-10864date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-30834date:2017-10-20T00:00:00
db:JVNDBid:JVNDB-2017-000228date:2017-10-11T00:00:00
db:CNNVDid:CNNVD-201710-259date:2017-10-13T00:00:00
db:NVDid:CVE-2017-10864date:2017-10-12T14:29:00.340