Pentest Security Advisory : PTL-2006-02
Multiple critical vulnerabilities affecting Sony VAIO Media Integrated Server
|Title:||Multiple critical vulnerabilities affecting Sony VAIO Media Integrated Server|
|Announcement date:||16 August 2006|
|Products:||Sony VAIO Media Integrated Server|
|Vulnerability Type:||Buffer Overflow, Directory Traversal|
|Advisory URL (Japan):||http://vcl.vaio.sony.co.jp/notices/security/info211.html|
Multiple vulnerabilities have been discovered in Sony's VAIO Media Integrated Server software, allowing arbitrary code to be executed with full SYSTEM privileges and additionally allowing arbitrary files to be retrieved from the host operating system.
The severity of these issues is deemed critical due to the VAIO Media Integrated Server software running in the context of the SYSTEM user.
The following versions of the VAIO Media Integrated Server are affected by these vulnerabilities:
VAIO Media Server 2.x, 3.x, 4.x, and 5.x
|11-04-2006 -||Initial Pentest Limited Notification to Sony, without response|
|13-04-2006 -||Vulnerablities reported to JPCERT/CC|
|04-05-2006 -||Response from JPCERT/CC, indicating that Sony have confirmed the existence of the vulnerabilities|
|26-06-2006 -||Sony begin distribution of patches to Japan, Asia, USA and Europe Locales|
Official fixes to the issues covered by this security advisory have been released. To implement the fix, install the relevant update for the version of VAIO Media Integrated Server in use by visiting the advisory URLs referenced above.
As a workaround prior to updating the affected software, it is suggested that access to the VAIO Media Server be denied to remote users.
These vulnerabilities were discovered by Joe Moore from Pentest Limited.
Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.