PT-2019-14234 · Gog · Gog Galaxy
Adrian Denkiewicz
·
Published
2019-11-21
·
Updated
2021-07-21
·
CVE-2019-15511
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
GOG Galaxy versions prior to 1.2.60
GOG Galaxy 2.0 Beta versions prior to the version that includes the fix for this issue
Description
A local privilege escalation issue exists due to improper access control in the GalaxyClientService installed by GOG Galaxy, allowing an attacker to send unauthenticated local TCP packets and gain SYSTEM privileges on a Windows system with GOG Galaxy installed.
Recommendations
For GOG Galaxy versions prior to 1.2.60, update to version 1.2.60 or later.
For GOG Galaxy 2.0 Beta, wait for an updated version that includes the fix for this issue and apply it as soon as it becomes available.
As a temporary workaround, consider restricting access to the GalaxyClientService to minimize the risk of exploitation.
Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gog Galaxy