CVE-2019-11030

Name of the Vulnerable Software and Affected Versions Mirasys VMS versions prior to 7.6.1 Mirasys VMS versions 8.x prior to 8.3.2

Description The issue concerns the mishandling of the Mirasys.Common.Utils.Security.DataCrypt method within the Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector. An attacker can execute a gadget, contained in a serialized object, with SYSTEM privileges if the object is properly encrypted. However, the encryption keys are hardcoded and available.

Recommendations For Mirasys VMS versions prior to 7.6.1, update to version 7.6.1 or later. For Mirasys VMS versions 8.x prior to 8.3.2, update to version 8.3.2 or later.