A vulnerability was found in Wacom Driver 6.3.32-3 (Hardware Driver Software). It has been rated as critical. Affected by this issue is an unknown functionality of the component Helper Service. The manipulation as part of a Argument leads to a privileges management vulnerability. Using CWE to declare the problem leads to CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Impacted is confidentiality, integrity, and availability. CVE summarizes:

An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the startProcess command. The command takes a user-supplied script argument and executes it under root context. A user with local access can use this vulnerability to raise their privileges to root. An attacker would need local access to the machine for a successful exploit.

The bug was discovered 05/16/2019. The weakness was disclosed 10/24/2019. This vulnerability is handled as CVE-2019-5012 since 01/04/2019. The attack needs to be approached locally. The successful exploitation needs a simple authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068.

The vulnerability was handled as a non-public zero-day exploit for at least 161 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entry 144153 is pretty similar.

Productinfo

Type

• Hardware Driver Software

Vendor

• Wacom

Name

• Driver

Version

• 6.3.32-3

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion