PT-2019-19679 · 1&1+2 · 1&1 Online Storage+2
Dhn
·
Publicado
2019-04-30
·
Atualizado
2020-08-24
·
CVE-2019-9486
CVSS v2.0
9.0
Alta
| Vetor | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
STRATO HiDrive Desktop Client versions 5.0.1.0
Telekom MagentaCLOUD versions through 5.7.0.0
1&1 Online Storage versions through 6.1.0.0
Description
The issue concerns a SYSTEM privilege escalation through the HiDriveMaintenanceService service, which establishes a NetNamedPipe endpoint. This allows applications to connect and call publicly exposed methods, enabling an attacker to inject and execute code by hijacking the insecure communications with the service.
Recommendations
For STRATO HiDrive Desktop Client version 5.0.1.0, consider disabling the HiDriveMaintenanceService service until a patch is available.
For Telekom MagentaCLOUD versions through 5.7.0.0, restrict access to the NetNamedPipe endpoint to minimize the risk of exploitation.
For 1&1 Online Storage versions through 6.1.0.0, avoid using the publicly exposed methods in the HiDriveMaintenanceService service until the issue is resolved.
Exploit
Correção
Time Of Check To Time Of Use
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
1&1 Online Storage
Strato Hidrive Desktop Client
Telekom Magentacloud