Safenet Sentinel LDK License Manager prior 7.101 on Windows Service link following
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.4 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as critical has been found in Safenet Sentinel LDK License Manager on Windows. This vulnerability affects unknown code of the component Service Handler. Such manipulation leads to link following. This vulnerability is documented as CVE-2019-18232. The attack needs to be performed locally. There is not any exploit available. The affected component should be upgraded.
Details
A vulnerability was found in Safenet Sentinel LDK License Manager on Windows. It has been rated as critical. Affected by this issue is an unknown part of the component Service Handler. The manipulation with an unknown input leads to a link following vulnerability. Using CWE to declare the problem leads to CWE-59. The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. Impacted is confidentiality, integrity, and availability. CVE summarizes:
SafeNet Sentinel LDK License Manager, all versions prior to 7.101(only Microsoft Windows versions are affected) is vulnerable when configured as a service. This vulnerability may allow an attacker with local access to create, write, and/or delete files in system folder using symbolic links, leading to a privilege escalation. This vulnerability could also be used by an attacker to execute a malicious DLL, which could impact the integrity and availability of the system.
The weakness was released 12/11/2019. This vulnerability is handled as CVE-2019-18232 since 10/22/2019. The attack needs to be approached locally. A simple authentication is necessary for exploitation. There are neither technical details nor an exploit publicly available.
Upgrading to version 7.101 eliminates this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Product
Vendor
Name
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.5VulDB Meta Temp Score: 6.4
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Link followingCWE: CWE-59
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Sentinel LDK License Manager 7.101
Timeline
10/22/2019 🔍12/11/2019 🔍
12/12/2019 🔍
03/10/2024 🔍
Sources
Advisory: us-cert.govStatus: Not defined
CVE: CVE-2019-18232 (🔍)
GCVE (CVE): GCVE-0-2019-18232
GCVE (VulDB): GCVE-100-146996
Entry
Created: 12/12/2019 08:50Updated: 03/10/2024 12:33
Changes: 12/12/2019 08:50 (37), 12/12/2019 08:55 (17), 03/10/2024 12:33 (4)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.