Podatność CVE-2019-12133


Publikacja: 2019-06-18   Modyfikacja: 2019-06-19

Opis:
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.

Typ:

CWE-275

(Permission Issues)

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
7.2/10
10/10
3.9/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Lokalny
Niska
Nie wymagana
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Pełny
Pełny
Pełny
Affected software
Zohocorp -> Manageengine servicedesk plus 
Zohocorp -> Manageengine analytics plus 
Zohocorp -> Manageengine supportcenter plus 
Zohocorp -> Manageengine browser security plus 
Zohocorp -> Manageengine vulnerability manager plus 
Zohocorp -> Manageengine desktop central 
Zohocorp -> Manageengine eventlog analyzer 
Zohocorp -> Manageengine firewall 
Zohocorp -> Manageengine key manager plus 
Zohocorp -> Manageengine mobile device manager plus 
Zohocorp -> Manageengine netflow analyzer 
Zohocorp -> Manageengine network configuration manager 
Zohocorp -> Manageengine o365 manager plus 
Zohocorp -> Manageengine opmanager 
Zohocorp -> Manageengine oputils 
Zohocorp -> Manageengine password manager pro 
Zohocorp -> Manageengine patch connect plus 
Zohocorp -> Manageengine patch manager plus 

 Referencje:
https://github.com/active-labs/Advisories/blob/master/ACTIVE-2019-007.md
https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html

Copyright 2024, cxsecurity.com

 

Back to Top