Version 6.22.2.10: Security Vulnerability Maintenance Release
Question:
What are the concerns about vulnerability CVE-2019-1552 and corresponding details?
Answer:
Nexthink strongly recommends customers upgrade to 6.22.2.10 or V6.23 when available, ideally to the latest available for the moment.
This release addresses two vulnerabilities on local privilege escalation affecting the Collector on Windows. Details regarding both can be found below.
The first vulnerability, CVE-2019-1552, is a publicly known vulnerability in a third-party library used in our solution, which affects versions up to v6.20 included. We advise customers running such older versions to upgrade to the latest one. Alternatively, we have identified methods to remediate this issue. Further information is available in annex 1.
The second vulnerability is in the solution itself and can be remediated by upgrading to the latest version. Exploitation requires product-specific knowledge and the ability to execute code locally. Further information is available in annex 2.
Nexthink is making this communication available to existing customers and partners only, in order to allow our customers to respond and remediate in accordance with their internal processes. Contact your Nexthink representative if you have any further questions or concerns. Check the latest Maintenance Release V6.22.2.10 for details
Annex 1
OpenSSL Local Privilege Escalation for Windows Collectors up to v6.20 included
Executive Summary
For these prior versions, OpenSSL can be leveraged to load arbitrary DLLs into the hosting process. One of our system services (nxtcoordinator.exe) loads OpenSSL and runs with SYSTEM privileges and thus could be used by an attacker to perform a Local Privilege Escalation.
Security Update
An update is available and affected customers are encouraged to upgrade or apply the workaround described below.
See also the Affected Software section below.
Vuln information
A number of OpenSSL libraries attempt to load the openssl.cnf configuration file from a user writable location. The configuration can be used to cause a DLL of the attacker’s choice to be loaded into the host process. More details about this vulnerability can be found on the CVE database.
Affected software
All Windows Collector versions up to v6.20 are affected.
v6.21 and v6.22 are not affected due to the different packaging of the OpenSSL library.
In v6.22.2.10 and v6.23 we have completely disabled the loading of the openssl.cnf file.
Mitigating factors
This vulnerability cannot be exploited remotely. The attacker must have access to the target system.
Workaround
This vulnerability can be mitigated by creating a folder with a specific name and restricting write access to privileged users. This will make it impossible for attackers to drop a specially crafted openssl.cnf file to escalate privileges. The exact folder name depends on the version of the Collector:
Windows Collector version | Path |
---|---|
6.17.3 - 6.20.x | x64: “C:\Build-openssl-OpenSSL_1_1_0h-64\SSL\openssl.cnf” x86: “C:\Build-openssl-OpenSSL_1_1_0h-32\SSL\openssl.cnf”
|
6.5.x - 6.17.2 | x64 and x86: “C:\usr\local\ssl\openssl.cnf” |
Acknowledgment
We’d like to thank Dr. Markus Weiler from SySS for alerting us about the vulnerability.
Disclaimer
The use of the software is subject to the terms and conditions of its applicable license agreement and then-effective documentation. This information is provided “as-is” without warranty of any kind.
Revision
0 2019-09-04. Bulletin Published
Annex 2
Local Privilege Escalation through DLL Hijacking on Windows Collectors up to v6.22.1.131 included
Executive Summary
A DLL Hijacking vulnerability in the Collector allows an attacker to inject an arbitrary DLL into a privileged process. One of our system services is vulnerable and runs with SYSTEM privileges and thus could be used by an attacker to perform a Local Privilege Escalation.
Security Update
An update is available and affected customers are encouraged to upgrade.
See also the Affected Software section below.
Vulnerability information
The Collector dynamically loads a small number of DLLs for which the full path was not specified. This could allow an attacker to inject an arbitrary DLL into the Collector process by dropping a DLL into a user-writable location that is in the LoadLibrary() search path. The search path includes the PATH environment variable asset for the SYSTEM user.
Affected software
All Windows Collector versions up to v6.22.1.131 are affected.
Mitigating factors
This vulnerability cannot be exploited remotely. The attacker must have access to the target system.
Workaround
Nexthink is not aware of any workaround.
Acknowledgment
This vulnerability was found by two independent penetration tests, one as part of our regular security reviews and the other in collaboration with a customer.
Disclaimer
The use of the software is subject to the terms and conditions of its applicable license agreement and then-effective documentation. This information is provided “as-is” without warranty of any kind.
Revision
0 2019-09-04. Bulletin Published
Last updated