PT-2023-25855 · Parsec+1 · Parsec Loader+1
Julian Horoszkiewicz
·
Publicado
2023-08-20
·
Atualizado
2024-10-17
·
CVE-2023-37250
CVSS v3.1
7.0
Alta
| Vetor | AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Unity Parsec versions prior to 9
Parsec Loader versions prior to 9
Description
The issue is a Time-of-check-to-time-of-use (TOCTOU) race condition that allows local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode. The application intentionally launches DLLs from a user-owned directory but intended to always perform integrity verification of those DLLs.
Recommendations
For Unity Parsec versions prior to 9, update to version 9 to resolve the issue.
For Parsec Loader versions prior to 9, update to version 9 to resolve the issue.
As a temporary workaround, consider restricting access to the user-owned directory where the DLLs are launched to minimize the risk of exploitation.
Correção
Time Of Check To Time Of Use
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Parsec Loader
Unity Parsec