OpenSSL up to 1.0.2s/1.1.0k/1.1.1c on Windows mingw OPENSSLDIR privilege escalation
| CVSS Meta Temp Score | Current Exploit Price (β) |
|---|---|
| 5.1 | $0-$5k |
A vulnerability has been found in OpenSSL up to 1.0.2s/1.1.0k/1.1.1c on Windows (Network Encryption Software) and classified as critical. Affected by this vulnerability is an unknown function of the component mingw. The manipulation of the argument OPENSSLDIR with the input value C:/usr/local leads to a privilege escalation vulnerability. The CWE definition for the vulnerability is CWE-269. As an impact it is known to affect confidentiality, integrity, and availability.
The weakness was disclosed 07/30/2019 as confirmed git commit (GIT Repository). It is possible to read the advisory at git.openssl.org. This vulnerability is known as CVE-2019-1552 since 11/28/2018. Attacking locally is a requirement. A single authentication is required for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 07/31/2019).
Upgrading to version 1.0.2t, 1.1.0l or 1.1.1d eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.openssl.org. The best possible mitigation is suggested to be upgrading to the latest version.
Type
Name
VulDB Meta Base Score: 5.3
VulDB Meta Temp Score: 5.1
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: π
VulDB Reliability: π
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| π | π | π | π | π | π |
| π | π | π | π | π | π |
| π | π | π | π | π | π |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: π
VulDB Temp Score: π
VulDB Reliability: π
Class: Privilege escalation (CWE-269)
Local: Yes
Remote: No
Availability: π
Status: Not defined
Price Prediction: π
Current Price Estimation: π
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Threat: π
Adversaries: π
Geopolitics: π
Economy: π
Predictions: π
Remediation: πRecommended: Upgrade
Status: π
0-Day Time: π
Upgrade: OpenSSL 1.0.2t/1.1.0l/1.1.1d
Patch: git.openssl.org
11/28/2018 CVE assigned
07/30/2019 Advisory disclosed
07/31/2019 VulDB entry created
07/31/2019 VulDB last updateProduct: openssl.org
Advisory: git.openssl.org
Status: Confirmed
CVE: CVE-2019-1552 (π)
Created: 07/31/2019 09:31 AM
Complete: π
Comments
Check our Alexa App!
https://vuldb.com/?id.139027
Comments are closed.
No comments yet. Please log in to comment.