CVE-2018-19592 : The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecur

The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default. This allows unprivileged users to take control of the service and execute commands in the context of NT AUTHORITY\SYSTEM, leading to total system takeover, a similar issue to CVE-2018-12441.

Published 2019-09-27 16:15:10

Updated 2019-10-01 18:46:27

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2018-19592

Corsair » Link » Version: 4.9.7.35
cpe:2.3:o:corsair:link:4.9.7.35:*:*:*:*:*:*:*
Matching versions
When used together with: Corsair » AXI » Version: N/A
When used together with: Corsair » Commander Mini » Version: N/A
When used together with: Corsair » Commander Pro » Version: N/A
When used together with: Corsair » H100i » Version: N/A
When used together with: Corsair » H100i Gtx » Version: N/A
When used together with: Corsair » H100i V2 » Version: N/A
When used together with: Corsair » H110i » Version: N/A
When used together with: Corsair » H110i Gt » Version: N/A
When used together with: Corsair » H110i Gtx » Version: N/A
When used together with: Corsair » H115i » Version: N/A
When used together with: Corsair » H80i » Version: N/A
When used together with: Corsair » H80i Gt » Version: N/A
When used together with: Corsair » H80i V2 » Version: N/A
When used together with: Corsair » HXI » Version: N/A
When used together with: Corsair » Lighting Node Pro » Version: N/A
When used together with: Corsair » RM » Version: N/A
When used together with: Corsair » RMI » Version: N/A
When used together with: Corsair » X99 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2018-19592

EPSS FAQ

0.71%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-19592

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-19592

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-19592

https://github.com/BradyDonovan/CVE-2018-19592/blob/master/CLink4Service

CVE-2018-19592/CLink4Service at master · BradyDonovan/CVE-2018-19592 · GitHub
Third Party Advisory
http://forum.corsair.com/v3/showthread.php?t=155646

Corsair Link Software Update Version 4.9.9.3 - The Corsair User Forums
Release Notes;Vendor Advisory

Jump to

Vulnerability Details : CVE-2018-19592

Products affected by CVE-2018-19592

Exploit prediction scoring system (EPSS) score for CVE-2018-19592

CVSS scores for CVE-2018-19592

CWE ids for CVE-2018-19592

References for CVE-2018-19592