CVE-2019-7590 Information

Description

ExacqVision Server’s services ’exacqVisionServer’ ‘dvrdhcpserver’ and ‘mdnsresponder’ have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies Inc. exacqVision Server versions prior to 8.4.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/109307 https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341 https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html https://www.johnsoncontrols.com/cyber-solutions/security-advisories https://www.us-cert.gov/ics/advisories/icsa-19-199-01 https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8