[JVN#59624986]
Known Vulnerabilities in
INplc 3.08 Products
Any DLL loading vulnerability in Micronet INplc SDK installer
- Information published date
2018/9/7
A vulnerability related to DLL reading exists in the INplc SDK Express product installer
and the INplc SDK Pro + product installer provided by Micronet Corporation
- Products subject to vulnerability
INplc SDK Express
INplc-SDK Pro+
Version 3.08 and earlier
- Detailed information on vulnerability
The INplc SDK Express product and the INplc SDK Pro + product produced by Micronet
Corporation has a problem. These installer because it is reading an external DLL then there is a
vulnerability that it reads when a malicious DLL of the same name is placed.
There is a possibility that arbitrary code may be executed with the authority of running
the installer. Please note that this vulnerability only affects installer launched. INplc products
already installed are not affected.
| (1) |
It changed from the shipping product after the information published date to the installer that
fixed this vulnerability |
| (2) |
Even if you have these product packages, there is no danger if you use the installer on the
product CD-ROM because it is un-rewriteable |
| (3) |
If you have these product packages, please do not copy the product CD-ROM to other rewriteable
media |
Based on the Information Security Early Warning Partnership, the following person
reported this vulnerability information to IPA and JPCERT / CC coordinated with developers
Reporter: The University of Tokyo / NEC Corporation Mr. Mitsuo Shiraki
Buffer overflow vulnerability in Micronet INplc
- Information published date
2018/9/7
There is a buffer overflow vulnerability in INplc-RT products provided by Micronet
Corporation
- Products subject to vulnerability
INplc-RT
Version 3.08 and earlier
- Detailed information on vulnerability
INplc-RT products provided by Micronet, Corporation have a buffer overflow problem, and
there is a vulnerability affected by a malicious transaction
By sending a malicious character string by an attacker, there is a possibility that the
control equipment etc. will run away
| (1) |
It changed from the shipping product after the information published date and fixed this
vulnerability |
| (2) |
It can be avoided by setting UDP port 1221 to not disclose |
Based on the Information Security Early Warning Partnership, the following person
reported this vulnerability information to IPA and JPCERT / CC coordinated with developers
Reporter: The University of Tokyo / NEC Corporation Mr. Mitsuo Shiraki
Authentication deficiency and privilege elevation vulnerability in Micronet INplc
- Information published date
2018/9/7
The INplc-RT product provided by Micronet Corporation has a vulnerability of incomplete
authentication. There is also a privilege elevation vulnerability by tampering Windows files by applying
this vulnerability
- Products subject to vulnerability
INplc-RT
Version 3.08 and earlier
- Detailed information on vulnerability
The INplc-RT product provided by Micronet Corporation has an incomplete authentication
problem, and there is a vulnerability affected by an attacker's spoofed request. Also, there is a
privilege elevation vulnerability by tampering Windows files by applying this vulnerability
Attackers through unauthorized control of control equipment, tampering with ladder
programs, malicious files placement through the traffic conforming to the protocol may result in a
foothold of illegal invasion
| (1) |
It changed from the shipping product after the information published date and fixed this
vulnerability |
| (2) |
It can be avoided by setting UDP port 1221, TCP ports 1222, 29701, 41100 to not disclose |
Based on the Information Security Early Warning Partnership, the following person
reported this vulnerability information to IPA and JPCERT / CC coordinated with developers
Reporter: The University of Tokyo / NEC Corporation Mr. Mitsuo Shiraki
Japanese
