Version 6.22.2.10: Security Vulnerability Maintenance Release

Question:

What are the concerns about vulnerability CVE-2019-1552 and corresponding details?

Answer:

Nexthink strongly recommends customers upgrade to 6.22.2.10 or V6.23 when available, ideally to the latest available for the moment.

This release addresses two vulnerabilities on local privilege escalation affecting the Collector on Windows. Details regarding both can be found below.

  • The first vulnerability, CVE-2019-1552, is a publicly known vulnerability in a third-party library used in our solution, which affects versions up to v6.20 included. We advise customers running such older versions to upgrade to the latest one. Alternatively, we have identified methods to remediate this issue. Further information is available in annex 1.

  • The second vulnerability is in the solution itself and can be remediated by upgrading to the latest version. Exploitation requires product-specific knowledge and the ability to execute code locally. Further information is available in annex 2.

Nexthink is making this communication available to existing customers and partners only, in order to allow our customers to respond and remediate in accordance with their internal processes. Contact your Nexthink representative if you have any further questions or concerns. Check the latest Maintenance Release V6.22.2.10 for details

Annex 1

OpenSSL Local Privilege Escalation for Windows Collectors up to v6.20 included

Executive Summary

For these prior versions, OpenSSL can be leveraged to load arbitrary DLLs into the hosting process. One of our system services (nxtcoordinator.exe) loads OpenSSL and runs with SYSTEM privileges and thus could be used by an attacker to perform a Local Privilege Escalation.

Security Update

An update is available and affected customers are encouraged to upgrade or apply the workaround described below.

See also the Affected Software section below.

Vuln information

A number of OpenSSL libraries attempt to load the openssl.cnf configuration file from a user writable location. The configuration can be used to cause a DLL of the attacker’s choice to be loaded into the host process. More details about this vulnerability can be found on the CVE database.

Affected software

  • All Windows Collector versions up to v6.20 are affected.

  • v6.21 and v6.22 are not affected due to the different packaging of the OpenSSL library.

  • In v6.22.2.10 and v6.23 we have completely disabled the loading of the openssl.cnf file.

Mitigating factors

This vulnerability cannot be exploited remotely. The attacker must have access to the target system.

Workaround

This vulnerability can be mitigated by creating a folder with a specific name and restricting write access to privileged users. This will make it impossible for attackers to drop a specially crafted openssl.cnf file to escalate privileges. The exact folder name depends on the version of the Collector:

Windows Collector versionPath

6.17.3 - 6.20.x

x64: “C:\Build-openssl-OpenSSL_1_1_0h-64\SSL\openssl.cnf”

x86: “C:\Build-openssl-OpenSSL_1_1_0h-32\SSL\openssl.cnf”

6.5.x - 6.17.2

x64 and x86: “C:\usr\local\ssl\openssl.cnf”

Acknowledgment

We’d like to thank Dr. Markus Weiler from SySS for alerting us about the vulnerability.

Disclaimer

The use of the software is subject to the terms and conditions of its applicable license agreement and then-effective documentation. This information is provided “as-is” without warranty of any kind.

Revision

  • 0 2019-09-04. Bulletin Published

Annex 2

Local Privilege Escalation through DLL Hijacking on Windows Collectors up to v6.22.1.131 included

Executive Summary

A DLL Hijacking vulnerability in the Collector allows an attacker to inject an arbitrary DLL into a privileged process. One of our system services is vulnerable and runs with SYSTEM privileges and thus could be used by an attacker to perform a Local Privilege Escalation.

Security Update

An update is available and affected customers are encouraged to upgrade.

See also the Affected Software section below.

Vulnerability information

The Collector dynamically loads a small number of DLLs for which the full path was not specified. This could allow an attacker to inject an arbitrary DLL into the Collector process by dropping a DLL into a user-writable location that is in the LoadLibrary() search path. The search path includes the PATH environment variable asset for the SYSTEM user.

Affected software

  • All Windows Collector versions up to v6.22.1.131 are affected.

Mitigating factors

This vulnerability cannot be exploited remotely. The attacker must have access to the target system.

Workaround

Nexthink is not aware of any workaround.

Acknowledgment

This vulnerability was found by two independent penetration tests, one as part of our regular security reviews and the other in collaboration with a customer.

Disclaimer

The use of the software is subject to the terms and conditions of its applicable license agreement and then-effective documentation. This information is provided “as-is” without warranty of any kind.

Revision

  • 0 2019-09-04. Bulletin Published

Last updated