JPCERT-AT-2016-0051 JPCERT/CC 2016-12-22(Initial) 2017-03-08(Update) <<< JPCERT/CC Alert 2016-12-22 >>> Alert regarding vulnerability (CVE-2016-7836) in SKYSEA Client View https://www.jpcert.or.jp/english/at/2016/at160051.html I. Overview A vulnerability (CVE-2016-7836) in SKYSEA Client View provided by Sky Co., LTD. has been disclosed. On a device that has SKEYSEA Client View installed, a remote attacker may execute arbitrary code when the device is placed in a specific environment. For more information on the vulnerability, please refer to the information provided by Sky Co., LTD. [Important] Alert for users who operate SKYSEA Client View in global IP address environment (CVE-2016-7836) (Japanese) http://www.skyseaclientview.net/news/161221/ The agent program in SKYSEA Client View installed in a device contains a function that receives commands from the management console to receive files and execute programs. This function contains a vulnerability in processing authentication within the TCP connection between the management console and client device. This vulnerability may be exploited to execute unauthorized code received from a device impersonating the management console. According to Sky Co., LTD., attacks in the wild exploiting this vulnerability have been observed. ** Update: Mar 8, 2017 Update *************************************** On March 8, 2017, Sky Co., LTD. has updated the information regarding the solution for this vulnerability and also recommended applying the solution. Attacks which leverage this vulnerability have been observed continuously, and JPCERT/CC has also received reports of the attacks. Users of this product are recommended to update the software to the latest version as soon as possible. Sky Co., LTD. Information on SKYSEA Client View update and the latest version released (Japanese) http://www.skygroup.jp/security-info/170308.html ********************************************************************* II. Affected Products The following versions are affected by this vulnerability: - SKYSEA Client View Ver.11.221.03 and earlier When these versions meet all of the following conditions, it is affected by this vulnerability: - When a global IP address is assigned to the client device - When the port used by "SKYSEA Client View" for communications is not blocked on the client device III. Solution Please update SKYSEA Client View to the latest version listed below: - SKYSEA Client View Ver.11.300.08h In addition, Sky Co., LTD. has provided a patch that addresses the vulnerability. Apply this patch to devices (master server, management console, client device) that have SKYSEA Client View installed. Website for users with maintenance contract (Japanese) https://www.skyseaclientview.net/scv_sp/d/?l=news1557 ** Update: Mar 8, 2017 Update *************************************** On March 6, 2017, Sky Co., LTD. has released a security-enhanced version which improved connection authentication of TCP communication and so forth. For more details, please refer to the information provided by Sky Co., LTD. - SKYSEA Client View Ver.11.400.07o According to Sky Co., LTD., either of the following measure is recommended. - update to Ver.11.300.08h or Ver.11.400.07o - apply the seculity patch ********************************************************************* IV. References Sky Co., LTD. [Important] Alert for users who operate SKYSEA Client View in global IP address environment (CVE-2016-7836) (Japanese) http://www.skyseaclientview.net/news/161221/ JVNVU#84995847 SKYSEA Client View vulnerable to arbitrary code execution https://jvn.jp/en/jp/JVN84995847/index.html National Police Agency Alert regarding vulnerability of the software (Japanese) https://www.npa.go.jp/cyberpolice/detect/pdf/20161222.pdf ** Update: Mar 8, 2017 Update *************************************** Sky Co., LTD. Information on SKYSEA Client View update and the latest version released (Japanese) http://www.skygroup.jp/security-info/170308.html ********************************************************************* If you have any information regarding this alert, please contact JPCERT/CC. ________ Revision History 2016-12-22 First edition 2017-03-08 Updated "I. Overview", "III. Solution" and "IV. References" ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/