Pentest Security Advisory : PTL-2006-02
Multiple critical vulnerabilities affecting Sony VAIO Media Integrated Server

Advisory Details

Title: Multiple critical vulnerabilities affecting Sony VAIO Media Integrated Server
Announcement date: 16 August 2006
Advisory Reference: ptl-2006-02
Products: Sony VAIO Media Integrated Server
Vulnerability Type: Buffer Overflow, Directory Traversal
Vendor-Status: Patch Released
Remotely Exploitable: Yes
Locally Exploitable: Yes
Advisory URL (Japan): http://vcl.vaio.sony.co.jp/notices/security/info211.html

Vulnerability Description

Multiple vulnerabilities have been discovered in Sony's VAIO Media Integrated Server software, allowing arbitrary code to be executed with full SYSTEM privileges and additionally allowing arbitrary files to be retrieved from the host operating system.

The severity of these issues is deemed critical due to the VAIO Media Integrated Server software running in the context of the SYSTEM user.

Vulnerable Versions

The following versions of the VAIO Media Integrated Server are affected by these vulnerabilities:

VAIO Media Server 2.x, 3.x, 4.x, and 5.x

Vendor Status

11-04-2006 - Initial Pentest Limited Notification to Sony, without response
13-04-2006 - Vulnerablities reported to JPCERT/CC
04-05-2006 - Response from JPCERT/CC, indicating that Sony have confirmed the existence of the vulnerabilities
26-06-2006 - Sony begin distribution of patches to Japan, Asia, USA and Europe Locales

Fix

Official fixes to the issues covered by this security advisory have been released. To implement the fix, install the relevant update for the version of VAIO Media Integrated Server in use by visiting the advisory URLs referenced above.

As a workaround prior to updating the affected software, it is suggested that access to the VAIO Media Server be denied to remote users.

Credit

These vulnerabilities were discovered by Joe Moore from Pentest Limited.

arrow morePTL-2013-01

PTL-2006-01arrow more

Security Services

Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.

read more arrow more

Database Services

Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.

read more arrow more

© Copyright Pentest Limited 2001 - 2015 All Rights Reserved. Privacy statement Design: Jalee Design