Church of ProZ: Otaku Fortress
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Type Moon VN Security Vulnerability

Go down

Type Moon VN Security Vulnerability Empty Type Moon VN Security Vulnerability

Post by Zhu Yang on 2015-11-09, 21:35

http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000174.html
https://www.reddit.com/r/fatestaynight/comments/3s52id/fate_vns_security_vulnerability_save_data_os/

Overview

Multiple games provided by TYPE-MOON contain an OS command injection vulnerability (CWE-78) due to an issue in loading save data.

KUSANO Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]

Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial


Affected Products


TYPE-MOON / Notes Co.,Ltd.

Fate/hollow ataraxia
Fate/stay night (CD, DVD)
Fate/stay night + hollow ataraxia set
Witch on the Holy Night


Impact

When specially crafted save data is loaded, an arbitrary OS command may be executed.

Solution

[Apply a Workaround]
The following workaround can mitigate the affects of this vulnerability.
* Do not load save data provided by an untrusted source.

Vendor Information

TYPE-MOON / Notes Co.,Ltd.

TYPE-MOON / Notes Co.,Ltd. : TYPE-MOON / Notes Co.,Ltd. website

CWE (What is CWE?)

OS Command Injection(CWE-78) [IPA Evaluation]

CVE (What is CVE?)

CVE-2015-5672

References

JVN : JVN#80144272
National Vulnerability Database (NVD) : CVE-2015-5672
Zhu Yang
Zhu Yang
Archon
Archon

ProZ Degrees: Nasuverse Master
Posts : 2107
AwesomeSauce : 9

Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum