PT-2019-19679 · 1&1+2 · 1&1 Online Storage+2
Dhn
·
Published
2019-04-30
·
Updated
2020-08-24
·
CVE-2019-9486
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
STRATO HiDrive Desktop Client versions 5.0.1.0
Telekom MagentaCLOUD versions through 5.7.0.0
1&1 Online Storage versions through 6.1.0.0
Description
The issue concerns a SYSTEM privilege escalation through the HiDriveMaintenanceService service, which establishes a NetNamedPipe endpoint. This allows applications to connect and call publicly exposed methods, enabling an attacker to inject and execute code by hijacking the insecure communications with the service.
Recommendations
For STRATO HiDrive Desktop Client version 5.0.1.0, consider disabling the HiDriveMaintenanceService service until a patch is available.
For Telekom MagentaCLOUD versions through 5.7.0.0, restrict access to the NetNamedPipe endpoint to minimize the risk of exploitation.
For 1&1 Online Storage versions through 6.1.0.0, avoid using the publicly exposed methods in the HiDriveMaintenanceService service until the issue is resolved.
Exploit
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
1&1 Online Storage
Strato Hidrive Desktop Client
Telekom Magentacloud