CVE-2020-15593

Name of the Vulnerable Software and Affected Versions SteelCentral Aternity Agent version 11.0.0.120

Description The issue concerns the mishandling of Inter-Process Communication (IPC) by the SteelCentral Aternity Agent. It allows any user on the system to access the interprocess communication channel AternityAgentAssistantIpc, retrieve a serialized object, and call object methods remotely. This enables users to perform various actions, including creating and/or overwriting arbitrary XML files across the system, creating arbitrary directories, and loading arbitrary plugins (C# assemblies) from a specific directory and executing the code contained within them.

Recommendations For SteelCentral Aternity Agent version 11.0.0.120, consider restricting access to the AternityAgentAssistantIpc interprocess communication channel to prevent unauthorized users from accessing and manipulating the system. Additionally, limit the ability to load and execute plugins from the "%PROGRAMFILES(X86)/Aternity Information Systems/Assistant/plugins" directory to minimize the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.