Man-in-the-Middle (MitM) attack in Sony VAIO Update

#VU18896 Man-in-the-Middle (MitM) attack in Sony VAIO Update

Published: 2019-06-25

Vulnerability identifier: #VU18896

Vulnerability risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-5982

CWE-ID: CWE-300

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Sony VAIO Update
Client/Desktop applications / Other client software

Vendor: Sony Corporation

Description

The vulnerability allows a remote attacker to perform man-in-the-middle (MitM) attack.

The vulnerability exists due to software does not validate integrity of the downloaded file before executing it. A remote attacker with ability to perform man-in-the-middle (MitM) attack can execute arbitrary code on the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Sony VAIO Update: 5.1.1.04090 - 7.3.0.03150

External links
http://jvn.jp/en/jp/JVN13555032/index.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Sony VAIO Update