Remote Command Execution, Privilege Escalation & Insecure TLS Implementation in Cordaware bestinformed

Vulnerabilities in Cordaware bestinformed

Title

Remote Command Execution, Privilege Escalation & Insecure TLS Implementation

Product

Cordaware bestinformed Windows Client

Vulnerable Version

< 6.2.1.0

Fixed Version

6.2.1.0

CVE Number

CVE-2019-6265, CVE-2019-6266

Impact

Critical

Homepage

https://www.cordaware.com

Credits

Octav Opaschi (Detack GmbH)
Felix Wallaschek (Detack GmbH)

The Cordaware bestinformed Windows Client was affected by vulnerabilities which allowed for remote code execution and local privilege escalation. The client was furthermore implementing network level encryption in an insecure manner, allowing an attacker to issue arbitrary commands to the client. The vendor provides patched versions of the client which should be installed immediately.

 

Product Description

Cordaware bestinformed® is the leading desktop mass notification system used for companywide distribution of urgent information. Messages are instantly distributed according to specified groups. The messages then immediately appear on the recipient’s desktops as a dynamic news-ticker.

Source: https://www.cordaware.com/en/bestinformed.php

Vulnerability Description

  1. Remote Command Execution, Privilege Escalation (CVE-2019-6265)

The scripting functionality and automatic update procedure implemented in the bestinformed Windows Client allowed any attacker with access to the local network to execute arbitrary commands in the context of the logged on user or with SYSTEM privileges, regardless of the clients or servers configuration.

 

  1. Insecure TLS Implementation (CVE-2019-6266)

The bestinformed Windows client implemented an outdated and insecure implementation of the SSL protocol which failed to verify server certificates and allowed an attacker to force the client to fall back to an unencrypted protocol by trivial means.

 

Proof of Concept

A proof of concept is not provided with this advisory.

 

Solution / Workaround

It is recommended to update the bestinformed client to the latest available version immediately.

Furthermore the following settings should be configured in the Infoclient.ini file:

UseSSL=True (enforce SSL usage in client versions before 6.2.2.6)

If no SSL is being used in the deployment the following settings MUST be set. If SSL is being used Detack recommends to enable them anyway in order to disable the automatic update function and scripting functionality, which allow the server to execute arbitrary commands and executables on the client. Client updates should be provided via alternative means, such as Microsoft SCCM.

NoScript=True (disable Scripting)
NoAutoupdate=True  (disable the bestinformed internal automatic client update functionality)