CVE-2021-29645

Description

Hitachi JP1/IT Desktop Management 2 Agent 9 through 12 calls the SendMessageTimeoutW API with arbitrary arguments via a local pipe, leading to a local privilege escalation vulnerability. An attacker who exploits this issue could execute arbitrary code on the local system.

Related CPE's

ahitachiit_operations_director********

ahitachiit_operations_director********

ahitachiit_operations_director********

ahitachiit_operations_director********

ahitachijob_management_partner_1\/it_desktop_management-manager********

ahitachijob_management_partner_1\/it_desktop_management-manager********

ahitachijob_management_partner_1\/it_desktop_management-manager********

ahitachijob_management_partner_1\/it_desktop_management_2-manager********

ahitachijob_management_partner_1\/remote_control_agent********

ahitachijob_management_partner_1\/remote_control_agent********

References

https://www.hitachi.com/hirt/security/index.html

Vendor Advisory

CvssV3 impact

BaseSeverity

HIGH

ConfidentialityImpact

HIGH

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

LOCAL

AvailabilityImpact

HIGH

IntegrityImpact

HIGH

PrivilegesRequired

LOW

BaseScore

7.8

VectorString

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

PARTIAL

AvailabilityImpact

PARTIAL

IntegrityImpact

PARTIAL

BaseScore

4.6

VectorString

AV:L/AC:L/Au:N/C:P/I:P/A:P

Version

2.0

AccessVector

LOCAL

Authentication

NONE

Created by Yello
About Severity.io