WIN-911 Software has been made aware of two potential vulnerabilities affecting all versions of WIN-911 Standard, Interactive, and Advanced. Successful exploitation of these potential vulnerabilities could lead to the escalation of local privileges when executed. An attacker cannot use these vulnerabilities to gain access to your system, as they require local access to exploit.
A. Affected Products
B. Vulnerability Details
The vulnerabilities were disclosed in a Talos report which resulted in the creation of two CVEs.
Talos Report: TALOS-2020-1150
By default, WIN-911 V4.20.13 is installed in the “C:\Program Files (x86)\WIN-911 Software” directory and it allows the “Everyone” group to have “Full” privilege over certain files in the directory which are executed with SYSTEM authority. This allows users in the Everyone group to read, write or modify arbitrary files in the install directory resulting in privilege escalation in certain configurations.
CVE-2020-13539 - Privilege escalation via “WIN-911 Mobile Runtime” service
WIN-911 Mobile Runtime service allows any user on the system to replace binary located in program files as seen below to execute code with the privilege of a WIN-911 service user:
c:\program files (x86)\win-911 software\win-911 enterprise\mobile\WIN911.Notifier.Mobile.Runtime.exe Everyone:F BUILTIN\Administrators:F NT AUTHORITY\Authenticated Users:(ID)(special access:) READ_CONTROL FILE_READ_DATA FILE_READ_EA FILE_READ_ATTRIBUTES
CVE-2020-13540 - Privilege escalation via “WIN-911 Account Change Utility”
WIN-911 Account Change Utility is a program used to change WIN-911 service users which runs all of the associated windows services. Due to the high-level privilege required to execute this operation only an administrative level user can successfully reconfigure services. The executable, which enables this operation, can however be easily replaced by any user from the “Everyone” group due to weak permissions applied on the application as seen below leading to privilege escalation when the application is used.
c:\Program Files (x86)\WIN-911 Software\ACU\WIN-911 Account Change Utility.exe BUILTIN\Administrators:(ID)F Everyone:(ID)F NT AUTHORITY\Authenticated Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(ID)R
WIN-911 Software strongly recommends updating to the latest version of WIN-911, 4.21.5, which removes the Everyone Group from all the files the installer places on disk and further restricts many others. The installation will upgrade existing deployments of WIN-911 automatically. If you are not able to upgrade WIN-911, you can manually remove the Everyone group from the WIN-911 Enterprise directory tree.