|Remote Command Execution, Privilege Escalation & Insecure TLS Implementation
|Cordaware bestinformed Windows Client
|Octav Opaschi (Detack GmbH)
Felix Wallaschek (Detack GmbH)
The Cordaware bestinformed Windows Client was affected by vulnerabilities which allowed for remote code execution and local privilege escalation. The client was furthermore implementing network level encryption in an insecure manner, allowing an attacker to issue arbitrary commands to the client. The vendor provides patched versions of the client which should be installed immediately.
Cordaware bestinformed® is the leading desktop mass notification system used for companywide distribution of urgent information. Messages are instantly distributed according to specified groups. The messages then immediately appear on the recipient’s desktops as a dynamic news-ticker.
The scripting functionality and automatic update procedure implemented in the bestinformed Windows Client allowed any attacker with access to the local network to execute arbitrary commands in the context of the logged on user or with SYSTEM privileges, regardless of the clients or servers configuration.
The bestinformed Windows client implemented an outdated and insecure implementation of the SSL protocol which failed to verify server certificates and allowed an attacker to force the client to fall back to an unencrypted protocol by trivial means.
A proof of concept is not provided with this advisory.
It is recommended to update the bestinformed client to the latest available version immediately.
Furthermore the following settings should be configured in the Infoclient.ini file:
UseSSL=True (enforce SSL usage in client versions before 188.8.131.52)
If no SSL is being used in the deployment the following settings MUST be set. If SSL is being used Detack recommends to enable them anyway in order to disable the automatic update function and scripting functionality, which allow the server to execute arbitrary commands and executables on the client. Client updates should be provided via alternative means, such as Microsoft SCCM.
NoScript=True (disable Scripting)
NoAutoupdate=True (disable the bestinformed internal automatic client update functionality)