CVE-2018-10646 - OpenCVE

CyberGhost 6.5.0.3180 for Windows suffers from a SYSTEM privilege escalation vulnerability through the "CG6Service" service. This service establishes a NetNamedPipe endpoint that allows arbitrary installed applications to connect and call publicly exposed methods. The "ConnectToVpnServer" method accepts a "connectionParams" argument that provides attacker control of the OpenVPN command line. An attacker can specify a dynamic library plugin that should run for every new VPN connection attempt. This plugin will execute code in the context of the SYSTEM user.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cyberghostvpn	Cyberghost

Configuration 1 [-]

cpe:2.3:a:cyberghostvpn:cyberghost:6.5.0.3180:*:*:*:*:windows:*:*

No data.

References

Link	Providers
https://github.com/VerSprite/research/blob/master/advisories/VS-2018-023.md

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-05-02T07:00:00

Updated: 2024-08-05T07:46:47.068Z

Reserved: 2018-05-02T00:00:00

Link: CVE-2018-10646

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-05-02T07:29:00.447

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-10646

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-05-02T00:00:00", "descriptions": [{"lang": "en", "value": "CyberGhost 6.5.0.3180 for Windows suffers from a SYSTEM privilege escalation vulnerability through the \"CG6Service\" service. This service establishes a NetNamedPipe endpoint that allows arbitrary installed applications to connect and call publicly exposed methods. The \"ConnectToVpnServer\" method accepts a \"connectionParams\" argument that provides attacker control of the OpenVPN command line. An attacker can specify a dynamic library plugin that should run for every new VPN connection attempt. This plugin will execute code in the context of the SYSTEM user."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-02T06:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/VerSprite/research/blob/master/advisories/VS-2018-023.md"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-10646", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CyberGhost 6.5.0.3180 for Windows suffers from a SYSTEM privilege escalation vulnerability through the \"CG6Service\" service. This service establishes a NetNamedPipe endpoint that allows arbitrary installed applications to connect and call publicly exposed methods. The \"ConnectToVpnServer\" method accepts a \"connectionParams\" argument that provides attacker control of the OpenVPN command line. An attacker can specify a dynamic library plugin that should run for every new VPN connection attempt. This plugin will execute code in the context of the SYSTEM user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/VerSprite/research/blob/master/advisories/VS-2018-023.md", "refsource": "MISC", "url": "https://github.com/VerSprite/research/blob/master/advisories/VS-2018-023.md"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T07:46:47.068Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/VerSprite/research/blob/master/advisories/VS-2018-023.md"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-10646", "datePublished": "2018-05-02T07:00:00", "dateReserved": "2018-05-02T00:00:00", "dateUpdated": "2024-08-05T07:46:47.068Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cyberghostvpn:cyberghost:6.5.0.3180:*:*:*:*:windows:*:*", "matchCriteriaId": "62E6480B-F137-4F87-B01C-334C013DEF2C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CyberGhost 6.5.0.3180 for Windows suffers from a SYSTEM privilege escalation vulnerability through the \"CG6Service\" service. This service establishes a NetNamedPipe endpoint that allows arbitrary installed applications to connect and call publicly exposed methods. The \"ConnectToVpnServer\" method accepts a \"connectionParams\" argument that provides attacker control of the OpenVPN command line. An attacker can specify a dynamic library plugin that should run for every new VPN connection attempt. This plugin will execute code in the context of the SYSTEM user."}, {"lang": "es", "value": "CyberGhost 6.5.0.3180 para Windows sufre de una vulnerabilidad de escalado de privilegios SYSTEM a trav\u00e9s del servicio \"CG6Service\". Este servicio establece un endpoint NetNamedPipe que permite que aplicaciones instaladas de forma arbitraria se conecten y llamen a m\u00e9todos expuestos de forma p\u00fablica. El m\u00e9todo \"ConnectToVpnServer\" acepta un argumento \"connectionParams\" que proporciona control al atacante de la l\u00ednea de comandos de OpenVPN. Un atacante puede especificar un plugin de biblioteca din\u00e1mica que deber\u00eda ejecutarse para cada nuevo intento de conexi\u00f3n de VPN. Este plugin ejecutar\u00e1 c\u00f3digo en el contexto del usuario SYSTEM."}], "id": "CVE-2018-10646", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-02T07:29:00.447", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/VerSprite/research/blob/master/advisories/VS-2018-023.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}