CVE-2023-7270 - OpenCVE

An issue was discovered in SoftMaker Office 2024 / NX before revision 1214 and SoftMaker FreeOffice 2014 before revision 1215. FreeOffice 2021 is also affected, but won't be fixed. The SoftMaker Office and FreeOffice MSI installer files were found to produce a visible conhost.exe window running as the SYSTEM user when using the repair function of msiexec.exe. This allows a local, low-privileged attacker to use a chain of actions, to open a fully functional cmd.exe with the privileges of the SYSTEM user.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2024/Jul/5
https://r.sec-consult.com/softmaker
https://softmaker.de/download/servicepacks
https://www.freeoffice.com/de/download/servicepacks

History

No history.

MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published: 2024-06-27T09:28:21.528Z

Updated: 2024-08-02T08:57:35.070Z

Reserved: 2024-06-17T06:58:43.143Z

Link: CVE-2023-7270

Vulnrichment

Updated: 2024-08-02T08:57:35.070Z

NVD

Status : Awaiting Analysis

Published: 2024-06-27T10:15:10.240

Modified: 2024-08-01T13:45:53.123

Link: CVE-2023-7270

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-7270", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2024-06-17T06:58:43.143Z", "datePublished": "2024-06-27T09:28:21.528Z", "dateUpdated": "2024-08-02T08:57:35.070Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Office", "vendor": "SoftMaker Software GmbH", "versions": [{"status": "unaffected", "version": "2024 / NX, revision 1214"}]}, {"defaultStatus": "affected", "product": "FreeOffice", "vendor": "SoftMaker Software GmbH", "versions": [{"status": "unaffected", "version": "2024, revision 1215"}]}, {"defaultStatus": "affected", "product": "FreeOffice", "vendor": "SoftMaker Software GmbH", "versions": [{"status": "affected", "version": "2021 revision 1068"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Baer | SEC Consult Vulnerability Lab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><p>An issue was discovered in SoftMaker Office 2024 / NX before revision 1214 and SoftMaker FreeOffice 2014 before revision 1215. FreeOffice 2021 is also affected, but won't be fixed.</p><p></p></div><p>The SoftMaker Office and FreeOffice MSI installer files were found to\n produce a visible conhost.exe window running as the SYSTEM user when \nusing the repair function of msiexec.exe. <span style=\"background-color: var(--wht);\">This allows a local, \nlow-privileged attacker to use a chain of actions, to open a fully \nfunctional cmd.exe with the privileges of the SYSTEM user.</span></p>"}], "value": "An issue was discovered in SoftMaker Office 2024 / NX before revision 1214 and SoftMaker FreeOffice 2014 before revision 1215. FreeOffice 2021 is also affected, but won't be fixed.\n\n\n\n\n\nThe SoftMaker Office and FreeOffice MSI installer files were found to\n produce a visible conhost.exe window running as the SYSTEM user when \nusing the repair function of msiexec.exe.\u00a0This allows a local, \nlow-privileged attacker to use a chain of actions, to open a fully \nfunctional cmd.exe with the privileges of the SYSTEM user."}], "impacts": [{"capecId": "CAPEC-234", "descriptions": [{"lang": "en", "value": "CAPEC-234 Hijacking a privileged process"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2024-06-27T09:28:21.528Z"}, "references": [{"tags": ["exploit", "third-party-advisory"], "url": "https://r.sec-consult.com/softmaker"}, {"tags": ["patch"], "url": "https://softmaker.de/download/servicepacks"}, {"tags": ["patch"], "url": "https://www.freeoffice.com/de/download/servicepacks"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/5"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The vendor provides a service pack version 1214 for SoftMaker Office 2024 and SofMaker Office NX, which can be downloaded from:<br><a target=\"_blank\" rel=\"nofollow\" href=\"https://softmaker.de/download/servicepacks\">https://softmaker.de/download/servicepacks</a></p><p>FreeOffice 2024 revision 1215:<br><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.freeoffice.com/de/download/servicepacks\">https://www.freeoffice.com/de/download/servicepacks</a></p><p>FreeOffice 2021 is unsupported and will not be fixed according to the vendor.</p><br>"}], "value": "The vendor provides a service pack version 1214 for SoftMaker Office 2024 and SofMaker Office NX, which can be downloaded from:\n https://softmaker.de/download/servicepacks \n\nFreeOffice 2024 revision 1215:\n https://www.freeoffice.com/de/download/servicepacks \n\nFreeOffice 2021 is unsupported and will not be fixed according to the vendor."}], "source": {"discovery": "UNKNOWN"}, "title": "Local Privilege Escalation via MSI installer", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "CWE-266 Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "softmaker", "product": "softmaker_office", "cpes": ["cpe:2.3:a:softmaker:softmaker_office:2021:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2024", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T13:11:41.264519Z", "id": "CVE-2023-7270", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T13:28:56.487Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:57:35.070Z"}, "title": "CVE Program Container", "references": [{"tags": ["exploit", "third-party-advisory", "x_transferred"], "url": "https://r.sec-consult.com/softmaker"}, {"tags": ["patch", "x_transferred"], "url": "https://softmaker.de/download/servicepacks"}, {"tags": ["patch", "x_transferred"], "url": "https://www.freeoffice.com/de/download/servicepacks"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/5", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://r.sec-consult.com/softmaker", "tags": ["exploit", "third-party-advisory", "x_transferred"]}, {"url": "https://softmaker.de/download/servicepacks", "tags": ["patch", "x_transferred"]}, {"url": "https://www.freeoffice.com/de/download/servicepacks", "tags": ["patch", "x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/5", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:57:35.070Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-7270", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-23T13:11:41.264519Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:softmaker:softmaker_office:2021:*:*:*:*:*:*:*"], "vendor": "softmaker", "product": "softmaker_office", "versions": [{"status": "affected", "version": "2024"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "CWE-266 Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T13:21:49.121Z"}}], "cna": {"title": "Local Privilege Escalation via MSI installer", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Michael Baer | SEC Consult Vulnerability Lab"}], "impacts": [{"capecId": "CAPEC-234", "descriptions": [{"lang": "en", "value": "CAPEC-234 Hijacking a privileged process"}]}], "affected": [{"vendor": "SoftMaker Software GmbH", "product": "Office", "versions": [{"status": "unaffected", "version": "2024 / NX, revision 1214"}], "defaultStatus": "affected"}, {"vendor": "SoftMaker Software GmbH", "product": "FreeOffice", "versions": [{"status": "unaffected", "version": "2024, revision 1215"}], "defaultStatus": "affected"}, {"vendor": "SoftMaker Software GmbH", "product": "FreeOffice", "versions": [{"status": "affected", "version": "2021 revision 1068"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "The vendor provides a service pack version 1214 for SoftMaker Office 2024 and SofMaker Office NX, which can be downloaded from:\n https://softmaker.de/download/servicepacks \n\nFreeOffice 2024 revision 1215:\n https://www.freeoffice.com/de/download/servicepacks \n\nFreeOffice 2021 is unsupported and will not be fixed according to the vendor.", "supportingMedia": [{"type": "text/html", "value": "<p>The vendor provides a service pack version 1214 for SoftMaker Office 2024 and SofMaker Office NX, which can be downloaded from:<br><a target=\"_blank\" rel=\"nofollow\" href=\"https://softmaker.de/download/servicepacks\">https://softmaker.de/download/servicepacks</a></p><p>FreeOffice 2024 revision 1215:<br><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.freeoffice.com/de/download/servicepacks\">https://www.freeoffice.com/de/download/servicepacks</a></p><p>FreeOffice 2021 is unsupported and will not be fixed according to the vendor.</p><br>", "base64": false}]}], "references": [{"url": "https://r.sec-consult.com/softmaker", "tags": ["exploit", "third-party-advisory"]}, {"url": "https://softmaker.de/download/servicepacks", "tags": ["patch"]}, {"url": "https://www.freeoffice.com/de/download/servicepacks", "tags": ["patch"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/5"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in SoftMaker Office 2024 / NX before revision 1214 and SoftMaker FreeOffice 2014 before revision 1215. FreeOffice 2021 is also affected, but won't be fixed.\n\n\n\n\n\nThe SoftMaker Office and FreeOffice MSI installer files were found to\n produce a visible conhost.exe window running as the SYSTEM user when \nusing the repair function of msiexec.exe.\u00a0This allows a local, \nlow-privileged attacker to use a chain of actions, to open a fully \nfunctional cmd.exe with the privileges of the SYSTEM user.", "supportingMedia": [{"type": "text/html", "value": "<div><p>An issue was discovered in SoftMaker Office 2024 / NX before revision 1214 and SoftMaker FreeOffice 2014 before revision 1215. FreeOffice 2021 is also affected, but won't be fixed.</p><p></p></div><p>The SoftMaker Office and FreeOffice MSI installer files were found to\n produce a visible conhost.exe window running as the SYSTEM user when \nusing the repair function of msiexec.exe. <span style=\"background-color: var(--wht);\">This allows a local, \nlow-privileged attacker to use a chain of actions, to open a fully \nfunctional cmd.exe with the privileges of the SYSTEM user.</span></p>", "base64": false}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2024-06-27T09:28:21.528Z"}}}, "cveMetadata": {"cveId": "CVE-2023-7270", "state": "PUBLISHED", "dateUpdated": "2024-08-02T08:57:35.070Z", "dateReserved": "2024-06-17T06:58:43.143Z", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "datePublished": "2024-06-27T09:28:21.528Z", "assignerShortName": "SEC-VLab"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in SoftMaker Office 2024 / NX before revision 1214 and SoftMaker FreeOffice 2014 before revision 1215. FreeOffice 2021 is also affected, but won't be fixed.\n\n\n\n\n\nThe SoftMaker Office and FreeOffice MSI installer files were found to\n produce a visible conhost.exe window running as the SYSTEM user when \nusing the repair function of msiexec.exe.\u00a0This allows a local, \nlow-privileged attacker to use a chain of actions, to open a fully \nfunctional cmd.exe with the privileges of the SYSTEM user."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en SoftMaker Office 2024/NX antes de la revisi\u00f3n 1214 y SoftMaker FreeOffice 2014 antes de la revisi\u00f3n 1215. FreeOffice 2021 tambi\u00e9n se ve afectado, pero no se solucionar\u00e1. Se descubri\u00f3 que los archivos de instalaci\u00f3n de SoftMaker Office y FreeOffice MSI produc\u00edan una ventana visible de conhost.exe ejecut\u00e1ndose como el usuario de SYSTEM cuando se utiliza la funci\u00f3n de reparaci\u00f3n de msiexec.exe.Esto permite a un atacante local con pocos privilegios utilizar una cadena de acciones para abrir un cmd.exe completamente funcional con los privilegios del usuario de SYSTEM."}], "id": "CVE-2023-7270", "lastModified": "2024-08-01T13:45:53.123", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-06-27T10:15:10.240", "references": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "http://seclists.org/fulldisclosure/2024/Jul/5"}, {"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://r.sec-consult.com/softmaker"}, {"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://softmaker.de/download/servicepacks"}, {"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://www.freeoffice.com/de/download/servicepacks"}], "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}