Published Product Vulnerabilities

Last updated in AUGUST 2023

Contents

CVE-2020-16268

CVEID

CVE-2020-16268

PRODUCT

1E Client for Windows

VERSION

– 5.0.x
– 4.1.x

PROBLEM TYPE

Execution with Unnecessary Privileges

REFERENCES

https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645

DESCRIPTION

The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user.

CVSS v3.1 Vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

https://nvd.nist.gov/vuln/detail/CVE-2020-16268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16268

ASSIGNING CNA

MITRE

CVE-2020-27643

CVEID

CVE-2020-27643

PRODUCT

1E Client for Windows

VERSION

– 5.0.x
– 4.1.x

PROBLEM TYPE

Windows Hard Link

REFERENCES

https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645

DESCRIPTION

The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not normally have access to create or modify files) via the creation of a junction point to a system directory. This leads to partial privilege escalation. This vulnerability can be mitigated by changing the permission of the ProgramData\1E\Client directory so that a standard user does not have the ability to create and modify files.

CVSS v3.1 Vector AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C

https://nvd.nist.gov/vuln/detail/CVE-2020-27643
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27643

ASSIGNING CNA

MITRE

CVE-2020-27644

CVEID

CVE-2020-27644

PRODUCT

1E Client for Windows

VERSION

5.0.x

PROBLEM TYPE

Uncontrolled Search Path Element

REFERENCES

https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645

DESCRIPTION

The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges by placing a malicious file called cryptbase.dll to the C:\Windows\Temp\.

CVSS v3.1 Vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

https://nvd.nist.gov/vuln/detail/CVE-2020-27644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27644

ASSIGNING CNA

MITRE

CVE-2020-27645

CVEID

CVE-2020-27645

PRODUCT

1E Client for Windows

VERSION

5.0.x

PROBLEM TYPE

Uncontrolled Search Path Element

REFERENCES

https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645

DESCRIPTION

The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges.

CVSS v3.1 Vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

https://nvd.nist.gov/vuln/detail/CVE-2020-27645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27645

ASSIGNING CNA

MITRE