PT-2019-9974 · Cerner · Cerner Connectivity Engine

Bryan Rhodes

Published

2019-04-25

Updated

2019-10-03

CVE-2018-20052

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Cerner Connectivity Engine (CCE) version 4

Description An issue was discovered where the user running the main CCE firmware has NOPASSWD sudo privileges to several utilities, which could be used to escalate privileges to root. For example, the command "sudo ln -s /tmp/script /etc/cron.hourly/script" could be utilized.

Recommendations For Cerner Connectivity Engine (CCE) version 4, restrict the sudo privileges of the user running the main CCE firmware to prevent escalation to root. As a temporary workaround, consider disabling the use of sudo for the affected utilities until a more permanent solution is implemented.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1188

Related Identifiers

CVE-2018-20052

Affected Products

Cerner Connectivity Engine

PT-2019-9974 · Cerner · Cerner Connectivity Engine

CVE-2018-20052

Weakness Enumeration

Related Identifiers

Affected Products

References · 3