CVE-2016-9486

Name of the Vulnerable Software and Affected Versions SecureConnector agent (affected versions not specified)

Description The SecureConnector agent runs under the local SYSTEM account and executes plugin scripts and executables on the endpoint to gather and report information to the CounterACT management appliance. These executable files are downloaded to and run from the %TEMP% directory of the currently logged on user. A batch file with SYSTEM privileges is run from this temp directory. If the naming convention of this script can be derived, it may be possible to overwrite the legitimate batch file with a malicious one before execution. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations To mitigate the risk, consider setting the configuration property config.script run folder.value in the local.properties configuration file on the CounterACT management appliance to change the directory where scripts are run. However, note that the batch file executed by SecureConnector does not follow this property. As a temporary workaround, restrict access to the temp directory of the currently logged on user to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.