NVD Vulnerability Detail

CVE-2019-7588

Summary	A vulnerability in the exacqVision Enterprise System Manager (ESM) v5.12.2 application whereby unauthorized privilege escalation can potentially be achieved. This vulnerability impacts exacqVision ESM v5.12.2 and all prior versions of ESM running on a Windows operating system. This issue does not impact any Windows Server OSs, or Linux deployments with permissions that are not inherited from the root directory. Authorized Users have ‘modify’ permission to the ESM folders, which allows a low privilege account to modify files located in these directories. An executable can be renamed and replaced by a malicious file that could connect back to a bad actor providing system level privileges. A low privileged user is not able to restart the service, but a restart of the system would trigger the execution of the malicious file. This issue affects: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) Version 5.12.2 and prior versions; This issue does not affect: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) 19.03 and above.
Publication Date	June 18, 2019, 11:15 p.m.
Registration Date	Jan. 26, 2021, 11:44 a.m.
Last Update	Nov. 21, 2024, 1:48 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:exacq:enterprise_system_manager::::::::			5.12.2
execution environment
1	cpe:2.3:o:microsoft:windows:-:::::::*

Related information, measures and tools

No	URL	タグ
1	https://exacq.com/kb?crc=31399	Mitigation Vendor Advisory
2	https://ics-cert.us-cert.gov/advisories/ICSA-19-164-01	Third Party Advisory US Government Resource
3	https://packetstormsecurity.com/files/151691/exacqvisionesm5122-escalate.txt	Exploit Third Party Advisory VDB Entry
4	https://www.johnsoncontrols.com/-/media/jci/be/united-states/specialty-pages/product-security/files/cpp-psa-2019-01-v2-exacqvision-esm.pdf	Mitigation Third Party Advisory
5	https://exacq.com/kb?crc=31399	Mitigation Vendor Advisory
6	https://www.johnsoncontrols.com/-/media/jci/be/united-states/specialty-pages/product-security/files/cpp-psa-2019-01-v2-exacqvision-esm.pdf	Mitigation Third Party Advisory
7	https://packetstormsecurity.com/files/151691/exacqvisionesm5122-escalate.txt	Exploit Third Party Advisory VDB Entry
8	https://ics-cert.us-cert.gov/advisories/ICSA-19-164-01	Third Party Advisory US Government Resource

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-276	不適切なデフォルトパーミッション	https://cwe.mitre.org/data/definitions/276.html

JVN Vulnerability Information

exacqVision Enterprise System Manager における認可に関する脆弱性

Title	exacqVision Enterprise System Manager における認可に関する脆弱性
Summary	exacqVision Enterprise System Manager (ESM) には、認可に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 21, 2019, midnight
Registration Date	June 25, 2019, 4:31 p.m.
Last Update	June 25, 2019, 4:31 p.m.

Affected System

Exacq Technologies

exacqVision Enterprise System Manager 5.12.2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-7588	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7588
National Vulnerability Database (NVD)
2	CVE-2019-7588	https://nvd.nist.gov/vuln/detail/CVE-2019-7588

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-285	https://cwe.mitre.org/data/definitions/285.html

ベンダー情報

No	Name	URL
Knowledge Base
1	KB ID: 31399	https://exacq.com/kb/?crc=31399#loadAnswer=ebc3a63b-5e0c-be62-f712-5c67218d6c1f

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-19-164-01	https://ics-cert.us-cert.gov/advisories/ICSA-19-164-01

Change Log

No	Changed Details	Date of change
1	[2019年06月25日] 掲載	June 25, 2019, 4:31 p.m.