WIN-911 Software has been made aware of two potential vulnerabilities affecting all versions of WIN-911 Standard, Interactive, and Advanced. Successful exploitation of these potential vulnerabilities could lead to the escalation of local privileges when executed. An attacker cannot use these vulnerabilities to gain access to your system, as they require local access to exploit.
A. Affected Products
All versions of WIN-911 Standard, Interactive, and Advanced prior to 4.21.5.
B. Vulnerability Details
The vulnerabilities were disclosed in a Talos report which resulted in the creation of two CVEs.
Talos Report: TALOS-2020-1150
CVE: CVE-2020-13539 and CVE-2020-13540
By default, WIN-911 V4.20.13 is installed in the “C:\Program Files (x86)\WIN-911 Software” directory and it allows the “Everyone” group to have “Full” privilege over certain files in the directory which are executed with SYSTEM authority. This allows users in the Everyone group to read, write or modify arbitrary files in the install directory resulting in privilege escalation in certain configurations.
CVE-2020-13539 - Privilege escalation via “WIN-911 Mobile Runtime” service
WIN-911 Mobile Runtime service allows any user on the system to replace binary located in program files as seen below to execute code with the privilege of a WIN-911 service user:
c:\program files (x86)\win-911 software\win-911 enterprise\mobile\WIN911.Notifier.Mobile.Runtime.exe
Everyone:F
BUILTIN\Administrators:F
NT AUTHORITY\Authenticated Users:(ID)(special access:)
READ_CONTROL
FILE_READ_DATA
FILE_READ_EA
FILE_READ_ATTRIBUTES
CVE-2020-13540 - Privilege escalation via “WIN-911 Account Change Utility”
WIN-911 Account Change Utility is a program used to change WIN-911 service users which runs all of the associated windows services. Due to the high-level privilege required to execute this operation only an administrative level user can successfully reconfigure services. The executable, which enables this operation, can however be easily replaced by any user from the “Everyone” group due to weak permissions applied on the application as seen below leading to privilege escalation when the application is used.
c:\Program Files (x86)\WIN-911 Software\ACU\WIN-911 Account Change Utility.exe
BUILTIN\Administrators:(ID)F
Everyone:(ID)F
NT AUTHORITY\Authenticated Users:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(ID)R
C. Resolution
WIN-911 Software strongly recommends updating to the latest version of WIN-911, 4.21.5, which removes the Everyone Group from all the files the installer places on disk and further restricts many others. The installation will upgrade existing deployments of WIN-911 automatically. If you are not able to upgrade WIN-911, you can manually remove the Everyone group from the WIN-911 Enterprise directory tree.
Technical Support
To create a support case, you will need either your Maintenance Support number or your CD Tracking number. You can create a Case online or contact the product support line: (512)326-1011.