CVE-2019-12091

HIGH7.8Injection

Description

The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2.0.214, running with NT\SYSTEM privilege, accepts network connections from localhost. The connection handling function in this service suffers from command injection vulnerability. Local users can use this vulnerability to execute code with NT\SYSTEM privilege.

CVSS breakdown

CVSS 3.0

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Netskope / Netskope ClientNetskope client 60.2.0.214 – Netskope client 60.2.0.214
Netskope / Netskope ClientNetskope client 57.2.0.219 – Netskope client 57.2.0.219
Netskope / Netskope Client57 – Netskope client*

References

MISChttps://support.netskope.com/hc/article_attachments/360033003553/Sprint_62_Release_Notes.pdf
MISChttps://support.netskope.com/hc/en-us/articles/360014589894-Netskope-Client
VENDOR_ADVISORYhttps://airbus-seclab.github.io/advisories/netskope.html