Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Description:
The "CorsairService" service installed by the Corsair Utility Engine software is installed with insecure default service
permissions, which allows unprivileged local users to execute aritrary commands under the context of NT_AUTHORITY\SYSTEM via
modification of the CorsairService BINARY_PATH_NAME, allowing the unprivileged user to gain complete control of the affected
system. The issue exists due to the local Windows "Everyone" security group being granted "SERVICE_ALL_ACCESS" permissions.
Vulnerability Type:
Insecure Permissions
Vendor:
Corsair
Affected Product Code Base:
Corsair Utility Engine Versions 3.2.87, 3.3.103, 3.4.95, 3.6.109, 3.7.99 have been tested. Other versions may be affected.
Fixed Product Code Base:
Corsair Utility Engine Version 3.13.94.
Affected Component:
"CorsairService" Service
Attack Type:
Local
Impact Code Execution:
True
Impact Escalation of Privileges:
True
Attack Vector:
Local Privilege Escalation via abuse of Insecure Service Permissions
Disclosure Timeline:
June 13, 2018 - Initial Contact with Vendor
June 14, 2018 - Vendor states fix is not possible
June 14, 2018 - Notify vendor to re-evaluate
June 14, 2018 - Vendor escalates to software team
June 14, 2018 - Vendor advises to consult Microsoft on managing permission levels of programs
June 14, 2018 - Notify vendor the issue is with the service, not the application.
June 14, 2018 through September 11, 2018 - New software versions released containing the same vulnerability.
July 3, 2018 - Notify vendor their new release suffers from same vulnerability.
July 3, 2018 - Vendor notifies the software still has some issues but they are working on it.
August 13, 2018 - Request status update
August 14, 2018 - Notify of pending release of CVE
August 16, 2018 - Notify vendor their lack of response is giving the impression of apathy, and publishing of CVE is pending.
September 12, 2018 - Request status update
Sometime between September 12, 2018 and October 6, 2018 - Ticket is closed without notification.
October 6, 2018 - Notify vendor they closed my ticket and had them review again.
October 9, 2018 - Vendor notifies they have no intention of changing the product, ticket closed.
October 10, 2018 - Disclosure.
February 25, 2019 - Corsair Utility Engine Version 3.13.94 released. Fixed.