Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2018-12441/CVE-2018-12441.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
52 lines (42 sloc)
2.26 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: | |
| The "CorsairService" service installed by the Corsair Utility Engine software is installed with insecure default service | |
| permissions, which allows unprivileged local users to execute aritrary commands under the context of NT_AUTHORITY\SYSTEM via | |
| modification of the CorsairService BINARY_PATH_NAME, allowing the unprivileged user to gain complete control of the affected | |
| system. The issue exists due to the local Windows "Everyone" security group being granted "SERVICE_ALL_ACCESS" permissions. | |
| Vulnerability Type: | |
| Insecure Permissions | |
| Vendor: | |
| Corsair | |
| Affected Product Code Base: | |
| Corsair Utility Engine Versions 3.2.87, 3.3.103, 3.4.95, 3.6.109, 3.7.99 have been tested. Other versions may be affected. | |
| Fixed Product Code Base: | |
| Corsair Utility Engine Version 3.13.94. | |
| Affected Component: | |
| "CorsairService" Service | |
| Attack Type: | |
| Local | |
| Impact Code Execution: | |
| True | |
| Impact Escalation of Privileges: | |
| True | |
| Attack Vector: | |
| Local Privilege Escalation via abuse of Insecure Service Permissions | |
| Disclosure Timeline: | |
| June 13, 2018 - Initial Contact with Vendor | |
| June 14, 2018 - Vendor states fix is not possible | |
| June 14, 2018 - Notify vendor to re-evaluate | |
| June 14, 2018 - Vendor escalates to software team | |
| June 14, 2018 - Vendor advises to consult Microsoft on managing permission levels of programs | |
| June 14, 2018 - Notify vendor the issue is with the service, not the application. | |
| June 14, 2018 through September 11, 2018 - New software versions released containing the same vulnerability. | |
| July 3, 2018 - Notify vendor their new release suffers from same vulnerability. | |
| July 3, 2018 - Vendor notifies the software still has some issues but they are working on it. | |
| August 13, 2018 - Request status update | |
| August 14, 2018 - Notify of pending release of CVE | |
| August 16, 2018 - Notify vendor their lack of response is giving the impression of apathy, and publishing of CVE is pending. | |
| September 12, 2018 - Request status update | |
| Sometime between September 12, 2018 and October 6, 2018 - Ticket is closed without notification. | |
| October 6, 2018 - Notify vendor they closed my ticket and had them review again. | |
| October 9, 2018 - Vendor notifies they have no intention of changing the product, ticket closed. | |
| October 10, 2018 - Disclosure. | |
| February 25, 2019 - Corsair Utility Engine Version 3.13.94 released. Fixed. |