Pentest Security Advisory : PTL-2006-02
Multiple critical vulnerabilities affecting Sony VAIO Media Integrated Server
Advisory Details
| Title: | Multiple critical vulnerabilities affecting Sony VAIO Media Integrated Server |
| Announcement date: | 16 August 2006 |
| Advisory Reference: | ptl-2006-02 |
| Products: | Sony VAIO Media Integrated Server |
| Vulnerability Type: | Buffer Overflow, Directory Traversal |
| Vendor-Status: | Patch Released |
| Remotely Exploitable: | Yes |
| Locally Exploitable: | Yes |
| Advisory URL (Japan): | http://vcl.vaio.sony.co.jp/notices/security/info211.html |
Vulnerability Description
Multiple vulnerabilities have been discovered in Sony's VAIO Media Integrated Server software, allowing arbitrary code to be executed with full SYSTEM privileges and additionally allowing arbitrary files to be retrieved from the host operating system.
The severity of these issues is deemed critical due to the VAIO Media Integrated Server software running in the context of the SYSTEM user.
Vulnerable Versions
The following versions of the VAIO Media Integrated Server are affected by these vulnerabilities:
VAIO Media Server 2.x, 3.x, 4.x, and 5.x
Vendor Status
| 11-04-2006 - | Initial Pentest Limited Notification to Sony, without response |
| 13-04-2006 - | Vulnerablities reported to JPCERT/CC |
| 04-05-2006 - | Response from JPCERT/CC, indicating that Sony have confirmed the existence of the vulnerabilities |
| 26-06-2006 - | Sony begin distribution of patches to Japan, Asia, USA and Europe Locales |
Fix
Official fixes to the issues covered by this security advisory have been released. To implement the fix, install the relevant update for the version of VAIO Media Integrated Server in use by visiting the advisory URLs referenced above.
As a workaround prior to updating the affected software, it is suggested that access to the VAIO Media Server be denied to remote users.
Credit
These vulnerabilities were discovered by Joe Moore from Pentest Limited.
PTL-2013-01
Penetration Testing as a service has grown into a business in its own right, providing numerous corporations with a valuable weapon in their growing arsenal of security counter measures. Pentest Limited was set up in June 2001 to provide specialist security services to businesses across the UK, North America and Europe.
Pentest Limited offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these databases.
