Vulnerability in “T&D Data Server” and “THERMO RECORDER DATA SERVER”

A security vulnerability has been found in "T&D Data Server" and "THERMO RECORDER DATA SERVER" as described below.
We have released fixed software versions that address this vulnerability. See the Fixed Software section below and download the update.

Affected Product / Version

• T&D Data Server / English Version 2.30 or lower
• T&D Data Server / Japanese Version 2.22 or lower
• THERMO RECORDER DATA SERVER / English Version 2.13 or lower
• THERMO RECORDER DATA SERVER / Japanese Version 2.13 or lower

Discovered Vulnerability

• Directory Traversal Issue

Description: The software was able to access existing files(*1) outside the normal operational folders path with the privilege level(*2) at which the software was executed.

*1: Existing files could be opened as read only; folders could not be opened.
*2: Open read only; write, delete, move operations not possible.

Update Particulars

• Implemented a mechanism to remove parameter input that causes directory traversal vulnerabilities when parameters were input to the software.
• Implemented a mechanism to allow access only to areas used by the software and prevent access to other areas.
• Performed a check for any other potential vulnerabilities and had a vulnerability check performed by a third-party.

Solution

• Please use a fixed version of the software.
• If updating to a fixed version is problematic, please restrict access rights (to the computer on which the software is installed) to only trusted computers/users.

Fixed Software / Versions

• T&D Data Server / English version 2.31 and later
• T&D Data Server / Japanese version 2.31 and later
• THERMO RECORDER DATA SERVER / English Version 2.31 and later
• THERMO RECORDER DATA SERVER / Japanese Version 2.31 and later

Download T&D Data Server

Download THERMO RECORDER DATA SERVER ( Go to ESPEC MIC CORP site )