Vulnerability Details : CVE-2020-12431
A Windows privilege change issue was discovered in Splashtop Software Updater before 1.5.6.16. Insecure permissions on the configuration file and named pipe allow for local privilege escalation to NT AUTHORITY/SYSTEM, by forcing a permission change to any Splashtop files and directories, with resultant DLL hijacking. This product is bundled with Splashtop Streamer (before 3.3.8.0) and Splashtop Business (before 3.3.8.0).
Vulnerability category: Gain privilege
Exploit prediction scoring system (EPSS) score for CVE-2020-12431
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-12431
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.3
|
MEDIUM | AV:L/AC:M/Au:N/C:N/I:C/A:C |
3.4
|
9.2
|
NIST |
6.6
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H |
1.3
|
5.2
|
NIST |
CWE ids for CVE-2020-12431
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-12431
-
https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-splashtop-streamer
Splashtop Streamer Vulnerability — Improsec | improving securityExploit;Third Party Advisory
-
https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/360042648231-Splashtop-Streamer-version-3-3-8-0-for-Windows-released-includes-SOS-version-3-3-8-0
Splashtop Streamer version 3.3.8.0 for Windows released - includes SOS version 3.3.8.0 – Splashtop Business - SupportRelease Notes;Vendor Advisory
Products affected by CVE-2020-12431
- cpe:2.3:a:splashtop:software_updater:*:*:*:*:*:*:*:*
- cpe:2.3:a:splashtop:streamer:*:*:*:*:-:windows:*:*
- cpe:2.3:a:splashtop:streamer:*:*:*:*:business:windows:*:*