ACTIVE-2019-006: Viber for Desktop URI Handler Remote Command Execution
Vulnerability Type:
Remote Command Execution
Vendors:
Viber Media S.à r.l.
CVE ID:
CVE-2019-12569
Affected Products:
- Viber for Desktop Version 10.5.0.23 and older for Windows
Summary:
A vulnerability in the Viber for Desktop, could allow an attacker to execute arbitrary commands on a targeted system. This vulnerability is due to unsafe search paths used by the application URI that is defined in Windows operating systems. An attacker could exploit this vulnerability by convincing a targeted user to follow a malicious link. Successful exploitation could cause the application to load libraries from the directory targeted by the URI link. The attacker could use this behavior to execute arbitrary commands on the system with the privileges of the targeted user if the attacker can place a crafted library in a directory that is accessible to the vulnerable system.
Mitigation:
The vendor has released a patch in version 10.7.0 addressing this vulnerability.
Credit:
This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12569
- https://nvd.nist.gov/vuln/detail/CVE-2019-12569
Disclosure Timeline:
- 05-04-19: ACTIVELabs contacted Viber via support portal
- 05-04-19: Viber support requested vulnerability information
- 05-04-19: ACTIVELabs sent vulnerability report however was not able to share PoC files with the vendor
- 05-06-19: ACTIVELabs requested status update
- 05-10-19: Viber support suggested other means to share PoC files
- 05-10-19: ACTIVELabs shared PoC files with the vendor
- 05-14-19: ACTIVELabs requested status update
- 05-16-19: Viber support replied stating patch was released in version 10.7.0
- 05-16-19: ACTIVELabs informed Viber that a CVE will be requested for this vulnerability
- 05-24-19: Viber support requested to validate the latest version, that is version 10.7.0
- 05-24-19: ACTIVELabs informed Viber support the patch has nullified the security vulnerability
- 05-24-19: ACTIVELabs publishes this advisory
- 05-24-19: ACTIVELabs requested CVE from MITRE
- 06-02-19: MITRE issued CVE-2019-12569