CVE-2020-5569 Information

Description

An unquoted search path vulnerability exists in HDD Password tool (for Windows) version 1.20.6620 and earlier which is stored in CANVIO PREMIUM 3TB(HD-MB30TY HD-MA30TY HD-MB30TS HD-MA30TS) CANVIO PREMIUM 2TB(HD-MB20TY HD-MA20TY HD-MB20TS HD-MA20TS) CANVIO PREMIUM 1TB(HD-MB10TY HD-MA10TY HD-MB10TS HD-MA10TS) CANVIO SLIM 1TB(HD-SB10TK HD-SB10TS) and CANVIO SLIM 500GB(HD-SB50GK HD-SA50GK HD-SB50GS HD-SA50GS) and which was downloaded before 2020 May 10. Since it registers Windows services with unquoted file paths when a registered path contains spaces and a malicious executable is placed on a certain path it may be executed with the privilege of the Windows service.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://jvn.jp/en/jp/JVN13467854/index.html https://www.canvio.jp/news/20200420.htm

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.4