CVE-2016-9485

On Windows endpoints, the SecureConnector agent must run under the local SYSTEM account or another administrator account in order to enable full functionality of the agent. The typical configuration is for the agent to run as a Windows service under the local SYSTEM account. The SecureConnector agent runs various plugin scripts and executables on the endpoint in order to gather and report information about the host to the CounterACT management appliance. The SecureConnector agent downloads these scripts and executables as needed from the CounterACT management appliance and runs them on the endpoint. The SecureConnector agent fails to set any permissions on downloaded file objects. This allows a malicious user to take ownership of any of these files and make modifications to it, regardless of where the files are saved. These files are then executed under SYSTEM privileges. A malicious unprivileged user can overwrite these executable files with malicious code before the SecureConnector agent executes them, causing the malicious code to be run under the SYSTEM account.

CVSS v3 7.8 HIGH
CVSS v2.0 7.2 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.securityfocus.com/bid/94740	Third Party Advisory VDB Entry
https://www.kb.cert.org/vuls/id/768331	Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/94740	Third Party Advisory VDB Entry
https://www.kb.cert.org/vuls/id/768331	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:forescout:secureconnector:-:*:*:*:*:windows:*:*

History

21 Nov 2024, 03:01

Type	Values Removed	Values Added
References	~~() http://www.securityfocus.com/bid/94740 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/94740 - Third Party Advisory, VDB Entry
References	~~() https://www.kb.cert.org/vuls/id/768331 - Third Party Advisory, US Government Resource~~	() https://www.kb.cert.org/vuls/id/768331 - Third Party Advisory, US Government Resource

Information

Published : 2018-07-13 20:29

Updated : 2024-11-21 03:01

NVD link : CVE-2016-9485

Mitre link : CVE-2016-9485

CVE.ORG link : CVE-2016-9485

JSON object : View

Products Affected

forescout

secureconnector

CWE

CWE-378

Creation of Temporary File With Insecure Permissions

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2016-9485", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2018-07-13T20:29:01.410", "references": [{"url": "http://www.securityfocus.com/bid/94740", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cret@cert.org"}, {"url": "https://www.kb.cert.org/vuls/id/768331", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cret@cert.org"}, {"url": "http://www.securityfocus.com/bid/94740", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.kb.cert.org/vuls/id/768331", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cret@cert.org", "description": [{"lang": "en", "value": "CWE-378"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "On Windows endpoints, the SecureConnector agent must run under the local SYSTEM account or another administrator account in order to enable full functionality of the agent. The typical configuration is for the agent to run as a Windows service under the local SYSTEM account. The SecureConnector agent runs various plugin scripts and executables on the endpoint in order to gather and report information about the host to the CounterACT management appliance. The SecureConnector agent downloads these scripts and executables as needed from the CounterACT management appliance and runs them on the endpoint. The SecureConnector agent fails to set any permissions on downloaded file objects. This allows a malicious user to take ownership of any of these files and make modifications to it, regardless of where the files are saved. These files are then executed under SYSTEM privileges. A malicious unprivileged user can overwrite these executable files with malicious code before the SecureConnector agent executes them, causing the malicious code to be run under the SYSTEM account."}, {"lang": "es", "value": "En los endpoints de Windows, el agente SecureConnector debe ejecutarse bajo la cuenta SYSTEM local u otra cuenta de administrador para habilitar la funcionalidad total del agente. La configuraci\u00f3n t\u00edpica es para que el agente se ejecute como servicio de Windows bajo la cuenta SYSTEM local. El agente SecureConnector ejecuta varios scripts de plugin y ejecutables en el endpoint para recopilar y reportar informaci\u00f3n sobre el host en la aplicaci\u00f3n de gesti\u00f3n de CounterACT. El agente SecureConnector descarga estos scripts y ejecutables cuando los necesita de la aplicaci\u00f3n de gesti\u00f3n de CounterACT y los ejecuta en el endpoint. El agente SecureConnector no establece permisos en los objetos de archivo descargados. Esto permite que un usuario malicioso asuma la propiedad de cualquiera de estos archivos y los modifique, independientemente de d\u00f3nde se guardan los archivos. Estos archivos se ejecutan despu\u00e9s bajo privilegios SYSTEM. Un usuario malicioso no privilegiado puede sobrescribir estos archivos ejecutables con c\u00f3digo malicioso antes de que los ejecute el agente SecureConnector, lo que provoca que el c\u00f3digo malicioso se ejecute bajo la cuenta SYSTEM."}], "lastModified": "2024-11-21T03:01:18.367", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:forescout:secureconnector:-:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "2E675CA7-5E40-4658-BFDA-8701F6614878"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}

7.8 /10