CVE-2017-3210 — HIGH (7.8) — White Hats Nepal

Q: How severe is CVE-2017-3210?

CVE-2017-3210 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-3210?

Check the references section above for vendor advisories and patch information. Affected products include: Portrait Portrait Display Sdk, Fujitsu Displayview Click, Fujitsu Displayview Click Suite, Hp Display Assistant, Hp My Display.

Vulnerability Description

Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution. A number of applications developed using the Portrait Displays SDK do not use secure permissions when running. These applications run the component pdiservice.exe with NT AUTHORITY/SYSTEM permissions. This component is also read/writable by all Authenticated Users. This allows local authenticated attackers to run arbitrary code with SYSTEM privileges. The following applications have been identified by Portrait Displays as affected: Fujitsu DisplayView Click: Version 6.0 and 6.01. The issue was fixed in Version 6.3. Fujitsu DisplayView Click Suite: Version 5. The issue is addressed by patch in Version 5.9. HP Display Assistant: Version 2.1. The issue was fixed in Version 2.11. HP My Display: Version 2.0. The issue was fixed in Version 2.1. Philips Smart Control Premium: Versions 2.23, 2.25. The issue was fixed in Version 2.26.

CVSS Score

7.8

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Portrait	Portrait Display Sdk	>= 2.30, < 2.34
Fujitsu	Displayview Click	6.0
Fujitsu	Displayview Click Suite	5.0
Hp	Display Assistant	2.1
Hp	My Display	2.0
Philips	Smart Control Premium	2.23

Related Weaknesses (CWE)

CWE-16 CWE-276

References

https://www.kb.cert.org/vuls/id/219739Third Party AdvisoryUS Government Resource
https://www.securityfocus.com/bid/98006Third Party AdvisoryVDB Entry
https://www.kb.cert.org/vuls/id/219739Third Party AdvisoryUS Government Resource
https://www.securityfocus.com/bid/98006Third Party AdvisoryVDB Entry

FAQ

What is CVE-2017-3210?

CVE-2017-3210 is a vulnerability with a CVSS score of 7.8 (HIGH). Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution. A number of applications developed using the...

How severe is CVE-2017-3210?

CVE-2017-3210 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-3210?

Check the references section above for vendor advisories and patch information. Affected products include: Portrait Portrait Display Sdk, Fujitsu Displayview Click, Fujitsu Displayview Click Suite, Hp Display Assistant, Hp My Display.