PT-2019-14045 · Valve · Valve Steam Client

Published

2019-08-21

Updated

2020-08-24

CVE-2019-15316

CVSS v3.1

7.0

High

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Valve Steam Client for Windows versions through 2019-08-20

Description The issue is related to weak folder permissions, which can lead to privilege escalation to NT AUTHORITYSYSTEM. This can be achieved through crafted use of CreateMountPoint.exe and SetOpLock.exe by leveraging a Time-of-Check-to-Time-of-Use (TOCTOU) race condition.

Recommendations For versions through 2019-08-20, update to a version released after 2019-08-20 to resolve the issue.

Exploit

Fix

Incorrect Permission

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732CWE-367

Related Identifiers

CVE-2019-15316

Affected Products

Valve Steam Client

PT-2019-14045 · Valve · Valve Steam Client

CVE-2019-15316

Weakness Enumeration

Related Identifiers

Affected Products

References · 6