PT-2023-7544 · Asus · Setupasusservices+1
Published
2023-07-04
·
Updated
2023-08-04
·
CVE-2023-26911
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Asus Armoury Crate version 5.3.4.0
SetupAsusServices version 1.0.5.1
Description
The issue is related to an unquoted service path vulnerability in the SetupAsusServices module of Asus Armoury Crate. This vulnerability allows local users to launch processes with elevated privileges. The lack of quotes in the service path elements or search paths can be exploited by an attacker to gain higher privileges.
Recommendations
For Asus Armoury Crate version 5.3.4.0, consider updating to a newer version that addresses the unquoted service path vulnerability in SetupAsusServices.
For SetupAsusServices version 1.0.5.1, update to a version that properly quotes service paths to prevent exploitation.
As a temporary workaround, consider restricting access to the SetupAsusServices module to minimize the risk of exploitation.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Asus Armoury Crate
Setupasusservices