Church of ProZ: Otaku Fortress
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Type Moon VN Security Vulnerability

Go down

moon - Type Moon VN Security Vulnerability Empty Type Moon VN Security Vulnerability

Post by Zhu Yang 2015-11-09, 21:35

http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000174.html
https://www.reddit.com/r/fatestaynight/comments/3s52id/fate_vns_security_vulnerability_save_data_os/

Overview

Multiple games provided by TYPE-MOON contain an OS command injection vulnerability (CWE-78) due to an issue in loading save data.

KUSANO Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]

Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial


Affected Products


TYPE-MOON / Notes Co.,Ltd.

Fate/hollow ataraxia
Fate/stay night (CD, DVD)
Fate/stay night + hollow ataraxia set
Witch on the Holy Night


Impact

When specially crafted save data is loaded, an arbitrary OS command may be executed.

Solution

[Apply a Workaround]
The following workaround can mitigate the affects of this vulnerability.
* Do not load save data provided by an untrusted source.

Vendor Information

TYPE-MOON / Notes Co.,Ltd.

TYPE-MOON / Notes Co.,Ltd. : TYPE-MOON / Notes Co.,Ltd. website

CWE (What is CWE?)

OS Command Injection(CWE-78) [IPA Evaluation]

CVE (What is CVE?)

CVE-2015-5672

References

JVN : JVN#80144272
National Vulnerability Database (NVD) : CVE-2015-5672
Zhu Yang
Zhu Yang
Archon
Archon

ProZ Degrees: Nasuverse Master
Posts : 2107
AwesomeSauce : 9

Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum