CVSSv3.1 Range: 6.3 (Medium)
Issue Date: 2021-03-03
Updated On: 2021-03-03 (Initial Advisory)
Synopsis: Dependency call on UpSlide Monitoring Service could lead to potential code execution.
Advisory details
Impacted Products
UpSlide Add-In: Version 6.6.10.3 to 6.6.17.0
Introduction
Description
Known Attack Vectors
Successful exploitation of this issue may allow an attacker to gain privileged access to the computer running code as a Windows Service.
Resolution
This issue has been fixed in v6.6.18. Don't hesitate to get in touch with your account manager, and they will provide you with a new version of UpSlide.
In the meantime, you can mitigate the vulnerability by restricting UpSlideService folder rights using the following command lines:
icacls "UpSlideInstallationPath\UpSlideService" /inheritance:d
icacls "UpSlideInstallationPath\UpSlideService" /remove:g *S-1-5-32-545 /T
icacls "UpSlideInstallationPath\UpSlideService" /grant:r *S-1-5-32-545:(OI)(CI)R /grant:r *S-1-5-32-544:(OI)(CI)F /grant:r SYSTEM:(OI)(CI)F /T
Fix introduced in
UpSlide Add-In: Version 6.6.18.0 was released on February 10th, 2021.
Change Log
2021-03-03 UPS-2021-001: Initial Security Advisory
Contact
If you have any questions regarding this vulnerability, please contact UpSlide support via email support@upslide.net.
If you want to report a vulnerability on UpSlide products, please contact security@upslide.net.