// For flags

CVE-2017-3210

Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution

Severity Score

7.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution. A number of applications developed using the Portrait Displays SDK do not use secure permissions when running. These applications run the component pdiservice.exe with NT AUTHORITY/SYSTEM permissions. This component is also read/writable by all Authenticated Users. This allows local authenticated attackers to run arbitrary code with SYSTEM privileges. The following applications have been identified by Portrait Displays as affected: Fujitsu DisplayView Click: Version 6.0 and 6.01. The issue was fixed in Version 6.3. Fujitsu DisplayView Click Suite: Version 5. The issue is addressed by patch in Version 5.9. HP Display Assistant: Version 2.1. The issue was fixed in Version 2.11. HP My Display: Version 2.0. The issue was fixed in Version 2.1. Philips Smart Control Premium: Versions 2.23, 2.25. The issue was fixed in Version 2.26.

Las aplicaciones que se desarrollan mediante Portrait Displays SDK, desde la versión 2.30 hasta la 2.34, vuelven por defecto a configuraciones inseguras que permiten la ejecución de código arbitrario. Una serie de aplicaciones desarrolladas con Portrait Displays SDK no emplean permisos seguros al ejecutarse. Estas aplicaciones ejecutan el componente pdiservice.exe con permisos AUTHORITY/SYSTEM. Este componente también puede ser leído/escrito por todos los usuarios autenticados. Esto permite que atacantes locales autenticados ejecuten código arbitrario con privilegios SYSTEM. Portrait Displays ha identificado que las siguientes aplicaciones se han visto afectadas: Fujitsu DisplayView Click: versiones 6.0 y 6.01. Este problema se ha solucionado en la versión 6.3. Fujitsu DisplayView Click Suite: versión 5. Este problema se ha solucionado mediante un parche en la versión 5.9. HP Display Assistant: versión 2.1. Este problema se ha solucionado en la versión 2.11. HP My Display: versión 2.0. Este problema se ha solucionado en la versión 2.1. Philips Smart Control Premium: versiones 2.23 y 2.25. Este problema se ha solucionado en la versión 2.26.

Portrait Display SDK Service suffers from a privilege escalation vulnerability due to an insecure service configuration.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-12-05 CVE Reserved
  • 2017-04-26 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-16: Configuration
  • CWE-276: Incorrect Default Permissions
CAPEC
References (2)
URL Tag Source
https://www.kb.cert.org/vuls/id/219739 Third Party Advisory
https://www.securityfocus.com/bid/98006 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Portrait
Search vendor "Portrait"
Portrait Display Sdk
Search vendor "Portrait" for product "Portrait Display Sdk"
>= 2.30 < 2.34
Search vendor "Portrait" for product "Portrait Display Sdk" and version " >= 2.30 < 2.34"
-
Affected
Fujitsu
Search vendor "Fujitsu"
Displayview Click
Search vendor "Fujitsu" for product "Displayview Click"
6.0
Search vendor "Fujitsu" for product "Displayview Click" and version "6.0"
-
Affected
Fujitsu
Search vendor "Fujitsu"
Displayview Click
Search vendor "Fujitsu" for product "Displayview Click"
6.01
Search vendor "Fujitsu" for product "Displayview Click" and version "6.01"
-
Affected
Fujitsu
Search vendor "Fujitsu"
Displayview Click Suite
Search vendor "Fujitsu" for product "Displayview Click Suite"
5.0
Search vendor "Fujitsu" for product "Displayview Click Suite" and version "5.0"
-
Affected
Hp
Search vendor "Hp"
Display Assistant
Search vendor "Hp" for product "Display Assistant"
2.1
Search vendor "Hp" for product "Display Assistant" and version "2.1"
-
Affected
Hp
Search vendor "Hp"
My Display
Search vendor "Hp" for product "My Display"
2.0
Search vendor "Hp" for product "My Display" and version "2.0"
-
Affected
Philips
Search vendor "Philips"
Smart Control Premium
Search vendor "Philips" for product "Smart Control Premium"
2.23
Search vendor "Philips" for product "Smart Control Premium" and version "2.23"
-
Affected
Philips
Search vendor "Philips"
Smart Control Premium
Search vendor "Philips" for product "Smart Control Premium"
2.25
Search vendor "Philips" for product "Smart Control Premium" and version "2.25"
-
Affected