Vulnerability Details : CVE-2017-3210
Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution. A number of applications developed using the Portrait Displays SDK do not use secure permissions when running. These applications run the component pdiservice.exe with NT AUTHORITY/SYSTEM permissions. This component is also read/writable by all Authenticated Users. This allows local authenticated attackers to run arbitrary code with SYSTEM privileges. The following applications have been identified by Portrait Displays as affected: Fujitsu DisplayView Click: Version 6.0 and 6.01. The issue was fixed in Version 6.3. Fujitsu DisplayView Click Suite: Version 5. The issue is addressed by patch in Version 5.9. HP Display Assistant: Version 2.1. The issue was fixed in Version 2.11. HP My Display: Version 2.0. The issue was fixed in Version 2.1. Philips Smart Control Premium: Versions 2.23, 2.25. The issue was fixed in Version 2.26.
Exploit prediction scoring system (EPSS) score for CVE-2017-3210
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-3210
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2017-3210
-
Assigned by: nvd@nist.gov (Primary)
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: cret@cert.org (Secondary)
References for CVE-2017-3210
-
https://www.securityfocus.com/bid/98006
Portrait Displays SDK CVE-2017-3210 Local Privilege Escalation VulnerabilityThird Party Advisory;VDB Entry
-
https://www.kb.cert.org/vuls/id/219739
VU#219739 - Portrait Displays SDK applications are vulnerable to arbitrary code execution and privilege escalationThird Party Advisory;US Government Resource
Products affected by CVE-2017-3210
- cpe:2.3:a:hp:display_assistant:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:hp:my_display:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:fujitsu:displayview_click:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:fujitsu:displayview_click:6.01:*:*:*:*:*:*:*
- cpe:2.3:a:fujitsu:displayview_click_suite:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:philips:smart_control_premium:2.25:*:*:*:*:*:*:*
- cpe:2.3:a:philips:smart_control_premium:2.23:*:*:*:*:*:*:*
- cpe:2.3:a:portrait:portrait_display_sdk:*:*:*:*:*:*:*:*