A vulnerability classified as problematic has been found in Gemalto Sentinel UltraPro Client Library 1.3.0/1.3.1/1.3.2 (Software Library). Affected is an unknown code block in the library ux32w.dll. The manipulation as part of a Search Path leads to a uncontrolled search path vulnerability. CWE is classifying the issue as CWE-427. The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

The uncontrolled search path element vulnerability in Gemalto Sentinel UltraPro Client Library ux32w.dll Versions 1.3.0, 1.3.1, and 1.3.2 enables an attacker to load and execute a malicious file.

The bug was discovered 03/14/2019. The weakness was disclosed 04/11/2019 (Website). The advisory is available at sw.aveva.com. This vulnerability is traded as CVE-2019-6534 since 01/22/2019. Local access is required to approach this attack. The requirement for exploitation is a authentication. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1574 by the MITRE ATT&CK project.

The vulnerability was handled as a non-public zero-day exploit for at least 28 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Type

• Software Library

Vendor

• Gemalto

Name

• Sentinel UltraPro Client Library

Version

• 1.3.0
• 1.3.1
• 1.3.2

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion