CVE-2020-11552

{"id": "CVE-2020-11552", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-08-11T16:15:12.057", "references": [{"url": "http://packetstormsecurity.com/files/158820/ManageEngine-ADSelfService-Plus-6000-Remote-Code-Execution.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2020/Aug/4", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2020/Aug/6", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/48739", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://www.manageengine.com", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \\windows\\system32, cmd.exe can be launched as a SYSTEM."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de elevaci\u00f3n de privilegios en ManageEngine ADSelfService Plus antes del build 6003, porque no aplica apropiadamente los privilegios de usuario asociados con un cuadro de di\u00e1logo del Certificado. Esta vulnerabilidad podr\u00eda permitir a un atacante no autenticado escalar privilegios sobre un host de Windows. Un atacante no requiere ning\u00fan privilegio en el sistema de destino para explotar esta vulnerabilidad. Una opci\u00f3n es la opci\u00f3n de autoservicio en la pantalla de inicio de sesi\u00f3n de Windows. Al seleccionar esta opci\u00f3n, se inicia el software thick-client, que se conecta a un servidor ADSelfService Plus remoto para facilitar las operaciones de autoservicio. Un atacante no autenticado que tenga acceso f\u00edsico al host podr\u00eda activar una alerta de seguridad al suministrar un certificado SSL autofirmado al cliente. La opci\u00f3n View Certificate de la alerta de seguridad permite a un atacante exportar un certificado desplegado hacia un archivo. Esto puede convertirse en cascada en un cuadro de di\u00e1logo que puede abrir Explorer como SYSTEM. Al navegar desde Explorer en \\windows\\ system32, el archivo cmd.exe puede ser iniciado como un SYSTEM"}], "lastModified": "2020-08-13T20:08:21.027", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA200DAA-09C6-4165-86F3-53E0693DEFA4", "versionEndIncluding": "5.8"}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86396EFE-E4E1-42DB-A206-9D44B977DB95"}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6000:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1ECD4B6F-D157-4AA6-A288-AF85ECFE3D5D"}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6001:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89042E18-91F4-4EB7-9276-251A94529D36"}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6002:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0215A848-4170-42E0-9711-E9922CE82CD1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}