search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple Toshiba products are vulnerable to trusted service path privilege escalation

Vulnerability Note VU#632140

Original Release Date: 2015-02-27 | Last Revised: 2015-03-05

Overview

Bluetooth Stack for Windows by Toshiba and TOSHIBA Service Station contain a trusted service path privilege escalation vulnerability.

Description

CWE-428: Unquoted Search Path or Element

Bluetooth Stack for Windows by Toshiba versions 9.10.27(T) and earlier, as well as TOSHIBA Service Station versions 2.2.13 and earlier, contain a trusted service path privilege escalation vulnerability.

Impact

A local authenticated attacker may be able to escalate privileges to SYSTEM.

Solution

Apply an Update

Toshiba recommends upgrading Bluetooth Stack for Windows by Toshiba to version 9.10.32(T) and TOSHIBA Service Station to 2.2.14

Vendor Information

632140
 
Affected   Unknown   Unaffected

Toshiba Corporation

Updated:  February 26, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 6.6 AV:L/AC:M/Au:S/C:C/I:C/A:C
Temporal 5.2 E:POC/RL:OF/RC:C
Environmental 3.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Giovanni Delvecchio for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

CVE IDs: CVE-2015-0884
Date Public: 2015-02-26
Date First Published: 2015-02-27
Date Last Updated: 2015-03-05 23:49 UTC
Document Revision: 11

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.