Sign-up

ID

VAR-201710-0202


CVE

CVE-2017-10865


TITLE

HIBUN Confidential File Decryption program may insecurely load Dynamic Link Libraries

Trust: 0.8

sources: JVNDB: JVNDB-2017-000226

DESCRIPTION

Untrusted search path vulnerability in HIBUN Confidential File Decryption program prior to 10.50.0.5 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. Note this is a separate vulnerability from CVE-2017-10863. HIBUN Confidential File Decryption program provided by Hitachi Solutions, Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Arbitrary code may be executed with the privileges of the user running HIBUN Confidential File Decryption program. Attackers can use this vulnerability to gain permissions with the help of malicious DLLs in the directory

Trust: 2.16

sources: NVD: CVE-2017-10865 // JVNDB: JVNDB-2017-000226 // CNVD: CNVD-2017-30835

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-30835

AFFECTED PRODUCTS

vendor:hitachimodel:confidential file decryptionscope:eqversion: -

Trust: 1.6

vendor:hitachimodel:hibun confidential file decryption programscope:eqversion:prior to version 10.50.0.5

Trust: 0.8

vendor:hitachimodel:hibun confidential file decryption programscope:ltversion:10.50.0.5

Trust: 0.6

sources: CNVD: CNVD-2017-30835 // JVNDB: JVNDB-2017-000226 // CNNVD: CNNVD-201710-258 // NVD: CVE-2017-10865

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-10865
value: HIGH

Trust: 1.0

IPA: JVNDB-2017-000226
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-30835
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201710-258
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2017-10865
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2017-000226
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2017-30835
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2017-10865
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.0

IPA: JVNDB-2017-000226
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2017-30835 // JVNDB: JVNDB-2017-000226 // CNNVD: CNNVD-201710-258 // NVD: CVE-2017-10865

PROBLEMTYPE DATA

problemtype:CWE-426

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2017-000226 // NVD: CVE-2017-10865

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-258

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201710-258

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-000226

PATCH
title:HIBUN Insecure DLL Loading Vulnerablityurl:http://www.hitachi-solutions.co.jp/hibun/sp/support/importance/20170929.html
Trust: 0.8
title:Patch for Hitachi HIBUN Confidential File Decryption Program Untrusted Search Path Vulnerability (CNVD-2017-30835)url:https://www.cnvd.org.cn/patchInfo/show/104226
Trust: 0.6
title:Hitachi HIBUN Confidential File Decryption Fixes for program security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75408
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-30835 // 
            
            
            
            JVNDB: JVNDB-2017-000226 // 
            
            
            
            CNNVD: CNNVD-201710-258

EXTERNAL IDS
db:JVNid:JVN55516206
Trust: 3.0
db:NVDid:CVE-2017-10865
Trust: 3.0
db:JVNDBid:JVNDB-2017-000226
Trust: 0.8
db:CNVDid:CNVD-2017-30835
Trust: 0.6
db:CNNVDid:CNNVD-201710-258
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-30835 // 
            
            
            
            JVNDB: JVNDB-2017-000226 // 
            
            
            
            CNNVD: CNNVD-201710-258 // 
            
            
            
            NVD: CVE-2017-10865

REFERENCES
url:https://jvn.jp/en/jp/jvn55516206/index.html
Trust: 2.4
url:http://www.hitachi-solutions.co.jp/hibun/sp/support/importance/20170929.html
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-10865
Trust: 0.8
url:http://jvn.jp/en/ta/jvnta91240916/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-10865
Trust: 0.8
url:http://jvn.jp/en/jp/jvn55516206/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-30835 // 
            
            
            
            JVNDB: JVNDB-2017-000226 // 
            
            
            
            CNNVD: CNNVD-201710-258 // 
            
            
            
            NVD: CVE-2017-10865

SOURCES
db:CNVDid:CNVD-2017-30835
db:JVNDBid:JVNDB-2017-000226
db:CNNVDid:CNNVD-201710-258
db:NVDid:CVE-2017-10865

LAST UPDATE DATE
2025-04-20T23:29:33.529000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-30835date:2017-10-20T00:00:00
db:JVNDBid:JVNDB-2017-000226date:2018-03-07T00:00:00
db:CNNVDid:CNNVD-201710-258date:2017-10-13T00:00:00
db:NVDid:CVE-2017-10865date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-30835date:2017-10-20T00:00:00
db:JVNDBid:JVNDB-2017-000226date:2017-10-11T00:00:00
db:CNNVDid:CNNVD-201710-258date:2017-10-13T00:00:00
db:NVDid:CVE-2017-10865date:2017-10-12T14:29:00.387