A vulnerability, which was classified as critical, was found in Veraport G3 ALL on MacOS (affected version unknown). Affected is an unknown functionality of the component API. The manipulation with an unknown input leads to a race condition vulnerability. CWE is classifying the issue as CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

In Veraport G3 ALL on MacOS, a race condition when calling the Veraport API allow remote attacker to cause arbitrary file download and execution. This results in remote code execution.

The bug was discovered 12/19/2018. The weakness was disclosed 12/20/2018 (Website). The advisory is available at boho.or.kr. This vulnerability is traded as CVE-2018-5198 since 01/03/2018. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available.

The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entry VDB-128263 is pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Vendor

• Veraport

Name

• G3 ALL

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion