Securepoint SSL VPN Client 2.0.30 Local Privilege Escalation

2021.06.30
Credit: Florian Bogner
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2021-35523
CWE: CWE-264


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Local Privilege Escalation in Securepoint SSL VPN Client 2.0.30 Metadata =================================================== Release Date: 29-Jun-2021 Author: Florian Bogner @ https://bee-itsecurity.at Affected product: Securepoint SSL VPN Client Fixed in: version 2.0.32 Tested on: Windows 10 x64 fully patched CVE: CVE-2021-35523 URL: https://bogner.sh/2021/06/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/ Vulnerability Status: Fixed with new release Vulnerability Description (copied from the CVE Details) =================================================== Securepoint SSL VPN Client v2 before 2.0.32 on Windows has unsafe configuration handling that enables local privilege escalation to NT AUTHORITY\SYSTEM. A non-privileged local user can modify the OpenVPN configuration stored under "%APPDATA%\Securepoint SSL VPN" and add a external script file that is executed as privileged user. A full vulnerability description is available here: https://bogner.sh/2021/06/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/ Suggested Solution =================================================== End-users should update to the latest available version. Disclosure Timeline =================================================== 14.04.2021: The vulnerability was discovered and reported to security@securepoint.de 15.04.2021: The report was triaged 26.04.2021: Securepoint SSL VPN Client Version 2.0.32 was released, which contains an initial fix for the vulnerability 23.06.2021: Securepoint SSL VPN Client Version 2.0.34 was released, which contains additional security measures. 28.06.2021: CVE-2021-35523 was assigned: https://nvd.nist.gov/vuln/detail/CVE-2021-35523 29.06.2021: Responsible disclosure in cooperation with Securepoint: https://github.com/Securepoint/openvpn-client/security/advisories/GHSA-v8p8-4w8f-qh34 ___________ Florian Bogner Information Security Expert, Speaker Bee IT Security Consulting GmbH Nibelungenstraße 37 3123 A-Schweinern Mail: florian.bogner@bee-itsecurity.at Web: https://www.bee-itsecurity.at


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top