CVE-2020-12614
https://notcve.org/view.php?id=CVE-2020-12614
An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. If the publisher criteria is selected, it defines the name of a publisher that must be present in the certificate (and also requires that the certificate is valid). If an Add Admin token is protected by this criteria, it can be leveraged by a malicious actor to achieve Elevation of Privileges from standard user to administrator. Se descubrió un problema en BeyondTrust Privilege Management para Windows hasta 5.6. Si se seleccionan los criterios del editor, se define el nombre de un editor que debe estar presente en el certificado (y también requiere que el certificado sea válido). • https://www.beyondtrust.com/support/changelog/privilege-management-for-windows-5-6-sr1 https://www.beyondtrust.com/trust-center/security-advisories/bt22-10 • CWE-295: Improper Certificate Validation •
CVE-2020-28369
https://notcve.org/view.php?id=CVE-2020-28369
In BeyondTrust Privilege Management for Windows (aka PMfW) through 5.7, a SYSTEM installation causes Cryptbase.dll to be loaded from the user-writable location %WINDIR%\Temp. En BeyondTrust Privilege Management para Windows (también conocido como PMfW) hasta 5.7, una instalación de SISTEMA hace que Cryptbase.dll se cargue desde la ubicación de escritura del usuario %WINDIR%\Temp. • https://www.beyondtrust.com/privilege-management/windows-mac https://www.beyondtrust.com/trust-center/security-advisories/bt22-08 • CWE-427: Uncontrolled Search Path Element •
CVE-2020-12612
https://notcve.org/view.php?id=CVE-2020-12612
An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. When specifying a program to elevate, it can typically be found within the Program Files (x86) folder and therefore uses the %ProgramFiles(x86)% environment variable. However, when this same policy gets pushed to a 32bit machine, this environment variable does not exist. Therefore, since the standard user can create a user level environment variable, they can repoint this variable to any folder the user has full control of. Then, the folder structure can be created in such a way that a rule matches and arbitrary code runs elevated. • https://www.beyondtrust.com/support/changelog/privilege-management-for-windows-5-6-sr1 https://www.beyondtrust.com/trust-center/security-advisories/bt22-09 •
CVE-2021-3187
https://notcve.org/view.php?id=CVE-2021-3187
An issue was discovered in BeyondTrust Privilege Management for Mac before 5.7. An authenticated, unprivileged user can elevate privileges by running a malicious script (that executes as root from a temporary directory) during install time. (This applies to macOS before 10.15.5, or Security Update 2020-003 on Mojave and High Sierra, Later versions of macOS are not vulnerable.) Se descubrió un problema en BeyondTrust Privilege Management para Mac anterior a la versión 5.7. Un usuario autenticado y sin privilegios puede elevar sus privilegios ejecutando un script malicioso (que se ejecuta como raíz desde un directorio temporal) durante el tiempo de instalación. • https://www.beyondtrust.com/docs/release-notes/privilege-management/index.htm https://www.beyondtrust.com/trust-center/security-advisories/bt22-06 •
CVE-2020-12613
https://notcve.org/view.php?id=CVE-2020-12613
An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. An attacker can spawn a process with multiple users as part of the security token (prior to Avecto elevation). When Avecto elevates the process, it removes the user who is launching the process, but not the second user. Therefore this second user still retains access and can give permission to the process back to the first user. Se descubrió un problema en BeyondTrust Privilege Management para Windows hasta 5.6. • https://www.beyondtrust.com/support/changelog/privilege-management-for-windows-5-6-sr1 https://www.beyondtrust.com/trust-center/security-advisories/bt22-11 •