CVE-2019-7590
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Exacq Technologies, Inc. | exacqVision Server | unspecified < 8.4 | unknown |
| Exacq Technologies, Inc. | exacqVision Server | unspecified <= 9.4 | unaffected |
| Exacq Technologies, Inc. | exacqVision Server | 9.6 | affected |
| Exacq Technologies, Inc. | exacqVision Server | 9.8 | affected |
| Exacq Technologies, Inc. | exacqVision Server | next of 19.03 < unspecified | unaffected |
Weaknesses
- CWE-428: CWE-428 Unquoted Search Path or Element
- The exacqVision Server unquoted service path privilege escalation vulnerability is possible in the Windows operating system.
Workarounds
Run Registry Editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exacqVisionServer. Modify the ImagePath for to include quotations around the entire file path. Repeat this process for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dvrdhcpserver and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdnsresponder
ADP Enrichment
CVE Program Container
Additional References
- https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php
- https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341
- https://www.us-cert.gov/ics/advisories/icsa-19-199-01
- https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- http://www.securityfocus.com/bid/109307
References
- https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php
- https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341
- https://www.us-cert.gov/ics/advisories/icsa-19-199-01
- https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- http://www.securityfocus.com/bid/109307
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.