WIN-911 Software has been made aware of two potential vulnerabilities affecting all versions of WIN-911 Standard, Interactive, and Advanced. Successful exploitation of these potential vulnerabilities could lead to the escalation of local privileges when executed. An attacker cannot use these vulnerabilities to gain access to your system, as they require local access to exploit.


A. Affected Products


All versions of WIN-911 Standard, Interactive, and Advanced prior to 4.21.5.


B. Vulnerability Details


The vulnerabilities were disclosed in a Talos report which resulted in the creation of two CVEs.


Talos Report: TALOS-2020-1150

CVE: CVE-2020-13539 and CVE-2020-13540


By default, WIN-911 V4.20.13 is installed in the “C:\Program Files (x86)\WIN-911 Software” directory and it allows the “Everyone” group to have “Full” privilege over certain files in the directory which are executed with SYSTEM authority. This allows users in the Everyone group to read, write or modify arbitrary files in the install directory resulting in privilege escalation in certain configurations.


CVE-2020-13539 - Privilege escalation via “WIN-911 Mobile Runtime” service

WIN-911 Mobile Runtime service allows any user on the system to replace binary located in program files as seen below to execute code with the privilege of a WIN-911 service user:


c:\program files (x86)\win-911 software\win-911 enterprise\mobile\WIN911.Notifier.Mobile.Runtime.exe 
                                                                                                 Everyone:F
                                                                                                 BUILTIN\Administrators:F
                                                                                                 NT AUTHORITY\Authenticated Users:(ID)(special access:)
                                                                                                                                      READ_CONTROL
                                                                                                                                      FILE_READ_DATA
                                                                                                                                      FILE_READ_EA
                                                                                                                                      FILE_READ_ATTRIBUTES


CVE-2020-13540 - Privilege escalation via “WIN-911 Account Change Utility”

WIN-911 Account Change Utility is a program used to change WIN-911 service users which runs all of the associated windows services. Due to the high-level privilege required to execute this operation only an administrative level user can successfully reconfigure services. The executable, which enables this operation, can however be easily replaced by any user from the “Everyone” group due to weak permissions applied on the application as seen below leading to privilege escalation when the application is used.


c:\Program Files (x86)\WIN-911 Software\ACU\WIN-911 Account Change Utility.exe 
                                                                               BUILTIN\Administrators:(ID)F
                                         Everyone:(ID)F
                                         NT AUTHORITY\Authenticated Users:(ID)F
                                         NT AUTHORITY\SYSTEM:(ID)F
                                         BUILTIN\Users:(ID)R
                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
                                         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(ID)R


C. Resolution

 

WIN-911 Software strongly recommends updating to the latest version of WIN-911, 4.21.5, which removes the Everyone Group from all the files the installer places on disk and further restricts many others. The installation will upgrade existing deployments of WIN-911 automatically. If you are not able to upgrade WIN-911, you can manually remove the Everyone group from the WIN-911 Enterprise directory tree. 


WIN-911 4.21.5 Download


Technical Support


To create a support case, you will need either your Maintenance Support number or your CD Tracking number. You can create a Case online or contact the product support line: (512)326-1011.