// For flags

CVE-2019-11396

 

Severity Score

7.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in Avira Free Security Suite 10. The permissive access rights on the SoftwareUpdater folder (files / folders and configuration) are incompatible with the privileged file manipulation performed by the product. Files can be created that can be used by an unprivileged user to obtain SYSTEM privileges. Arbitrary file creation can be achieved by abusing the SwuConfig.json file creation: an unprivileged user can replace these files by pseudo-symbolic links to arbitrary files. When an update occurs, a privileged service creates a file and sets its access rights, offering write access to the Everyone group in any directory.

Se detectó un problema en Avira Free Security Suite versión 10. Los derechos de acceso permisivo en la carpeta SoftwareUpdater (archivos / carpetas y configuración) son incompatibles con la manipulación de archivos privilegiada realizada por el producto. Pueden ser creados archivos que pueden ser usados por un usuario no privilegiado para obtener privilegios SYSTEM. La creación de archivos arbitrarios puede lograrse al abusar de la creación de archivos SwuConfig.json: un usuario no privilegiado puede reemplazar estos archivos por enlaces pseudo simbólicos en archivos arbitrarios. Cuando se produce una actualización, un servicio privilegiado crea un archivo y establece sus derechos de acceso, ofreciendo acceso de escritura al grupo Everyone en cualquier directorio.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-04-21 CVE Reserved
  • 2019-08-04 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-22 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-59: Improper Link Resolution Before File Access ('Link Following')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Avira
Search vendor "Avira"
 Free Security Suite
Search vendor "Avira" for product "Free Security Suite"
 2019
Search vendor "Avira" for product "Free Security Suite" and version "2019"
-
Affected
in Microsoft
Search vendor "Microsoft"
 Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Avira
Search vendor "Avira"
 Software Updater
Search vendor "Avira" for product "Software Updater"
 <= 2.0.6.13175
Search vendor "Avira" for product "Software Updater" and version " <= 2.0.6.13175"
-
Affected
in Microsoft
Search vendor "Microsoft"
 Windows
Search vendor "Microsoft" for product "Windows"
--
Safe