7.8

CVE-2022-24139

EPSS 0.16%
Veröffentlicht 06.07.2022 13:15:09
Zuletzt bearbeitet 21.11.2024 06:49:53
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In IOBit Advanced System Care (AscService.exe) 15, an attacker with SEImpersonatePrivilege can create a named pipe with the same name as one of ASCService's named pipes. ASCService first tries to connect before trying to create the named pipes, because of that during login the service will try to connect to the attacker which will lead to either escalation of privileges (through token manipulation and ImpersonateNamedPipeClient() ) from ADMIN -> SYSTEM or from Local ADMIN-> Domain ADMIN depending on the user and named pipe that is used.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Iobit ≫ Advanced System Care Version15 SwEditionfree

Iobit ≫ Advanced System Care Version15 SwEditionpro

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.369

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

http://advanced.com

Not Applicable

http://iobit.com

Vendor Advisory

https://github.com/tomerpeled92/CVE/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-24139

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24139

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24139

EUVD