Executive Summary
Summary | |
---|---|
Title | Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation |
Informations | |||
---|---|---|---|
Name | VU#813349 | First vendor Publication | 2023-07-27 |
Vendor | VU-CERT | Last vendor Modification | 2023-08-03 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | N/A | Attack Range | N/A |
Cvss Impact Score | N/A | Attack Complexity | N/A |
Cvss Expoit Score | N/A | Authentication | N/A |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewThe software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation. DescriptionD-Link DWA-117 AC600 MU-MIMO is a Wi-Fi USB Adapter that enables Wi-Fi network accessible over USB. D-Link provides a software driver for Microsoft Windows operating system that enables proper operation of the device with the operating system. The latest software driver (as of Arpil 19, 2023) was found susceptible to an unquoted service path vulnerability. Given certain conditions are met, there is potential for a local privilege escalation allowing an attacker to escalate privileges to local administrative user. The following conditions are required to trigger this bug * The software is installed in a directory with a space in it. (The default settings for directory will work) * An unprivileged user should have write access to the directory above the folder that contains the space in its name. (Typical default Windows user permissions is sufficient) ImpactAn attacker with low level access can execute code as the system account. The increased privileges allow for access to sensitive files and malicious modifications to the system. SolutionD-Link has provided a patch that addresses the issue. Customers should update their driver to the latest version. AcknowledgementsThanks to @L1v1ng0ffTh3L4n for reporting the vulnerability. This document was written by Kevin Stephens. |
Original Source
Url : https://kb.cert.org/vuls/id/813349 |
Alert History
Date | Informations |
---|---|
2023-08-03 21:22:06 |
|
2023-07-27 21:22:07 |
|