CVE-2019-3980

Name of the Vulnerable Software and Affected Versions DameWare Mini Remote Control version 12.1.0.89

Description The issue allows an unauthenticated, remote attacker to request smart card login and upload and execute an arbitrary executable run under the Local System account. This is due to a lack of source confirmation in the SmartCard Authentication component. The vulnerability has been exploited in real-world incidents, where attackers used it to load malicious software, including a Reverse Shell on Java, and a driver designed to bypass security measures and disable antivirus self-protection components. In one incident, the attackers also used QuasarRAT to establish persistence but made an error in creating a task, which prevented them from maintaining access after a system reboot.

Recommendations For version 12.1.0.89, consider disabling the SmartCard Authentication feature until a patch is available to prevent exploitation. Restrict access to the DWRCS.exe host to minimize the risk of arbitrary executable execution. Avoid using the SmartCard Authentication component in the DameWare Mini Remote Control until the issue is resolved. As a temporary workaround, monitor system logs for suspicious activity, especially related to the execution of unknown executables or changes in system configuration.