CVE-2018-17612

Опубликовано: 09 нояб. 2018

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Sennheiser HeadSetup 7.3.4903 places Certification Authority (CA) certificates into the Trusted Root CA store of the local system, and publishes the private key in the SennComCCKey.pem file within the public software distribution, which allows remote attackers to spoof arbitrary web sites or software publishers for several years, even if the HeadSetup product is uninstalled. NOTE: a vulnerability-assessment approach must check all Windows systems for CA certificates with a CN of 127.0.0.1 or SennComRootCA, and determine whether those certificates are unwanted.

Ссылки

http://www.securityfocus.com/bid/106045
Third Party Advisory
VDB Entry
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180029
Patch
Vendor Advisory
https://www.secorvo.de/publikationen/headsetup-vulnerability-report-secorvo-2018.pdf
Exploit
Mitigation
Technical Description
Third Party Advisory
http://www.securityfocus.com/bid/106045
Third Party Advisory
VDB Entry
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180029
Patch
Vendor Advisory
https://www.secorvo.de/publikationen/headsetup-vulnerability-report-secorvo-2018.pdf
Exploit
Mitigation
Technical Description
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sennheiser:headsetup:7.3.4903:*:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*

cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*

cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*

EPSS

Процентиль: 72%

0.00717

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-295

Связанные уязвимости

GHSA-c4fc-cx58-4v39

CVSS3: 7.5

github

больше 3 лет назад

ADV180029

msrc

около 7 лет назад

Inadvertently Disclosed Digital Certificates Could Allow Spoofing