CVE-2019-6173 - OpenCVE

A DLL search path vulnerability could allow privilege escalation in some Lenovo installation packages, prior to version 1.2.9.3, during installation if an attacker already has administrative privileges.

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Lenovo	Installation Package

Configuration 1 [-]

cpe:2.3:a:lenovo:installation_package:*:*:*:*:*:*:*:*

References

Link	Resource
https://support.lenovo.com/us/en/product_security/len-27431	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: lenovo

Published: 2020-06-09T00:00:00

Updated: 2020-06-09T19:50:33

Reserved: 2019-01-11T00:00:00

Link: CVE-2019-6173

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-06-09T20:15:11.710

Modified: 2020-06-22T15:32:04.143

Link: CVE-2019-6173

JSON object: View

Redhat Information

No data.

CWE

CWE-426

{"containers": {"cna": {"affected": [{"product": "Installation Packages", "vendor": "Lenovo", "versions": [{"lessThan": "1.2.9.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Lenovo thanks Eran Shimony at CyberArk Labs for reporting this issue"}], "datePublic": "2020-06-09T00:00:00", "descriptions": [{"lang": "en", "value": "A DLL search path vulnerability could allow privilege escalation in some Lenovo installation packages, prior to version 1.2.9.3, during installation if an attacker already has administrative privileges."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "description": "CWE-426 Untrusted Search Path", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-09T19:50:33", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.lenovo.com/us/en/product_security/len-27431"}], "solutions": [{"lang": "en", "value": "To mitigate these vulnerabilities, Lenovo recommends installing Lenovo software updates through Lenovo Vantage, Lenovo System Update, or Windows Update. Updates delivered through Update Retriever, Thin Installer, and System Update are also not affected. Lenovo installation packages version 1.2.9.3 or later are not affected. "}], "source": {"advisory": "LEN-27431", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "DATE_PUBLIC": "2020-06-09T18:00:00.000Z", "ID": "CVE-2019-6173", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Installation Packages", "version": {"version_data": [{"version_affected": "<", "version_value": "1.2.9.3"}]}}]}, "vendor_name": "Lenovo"}]}}, "credit": [{"lang": "eng", "value": "Lenovo thanks Eran Shimony at CyberArk Labs for reporting this issue"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A DLL search path vulnerability could allow privilege escalation in some Lenovo installation packages, prior to version 1.2.9.3, during installation if an attacker already has administrative privileges."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-426 Untrusted Search Path"}]}]}, "references": {"reference_data": [{"name": "https://support.lenovo.com/us/en/product_security/len-27431", "refsource": "MISC", "url": "https://support.lenovo.com/us/en/product_security/len-27431"}]}, "solution": [{"lang": "en", "value": "To mitigate these vulnerabilities, Lenovo recommends installing Lenovo software updates through Lenovo Vantage, Lenovo System Update, or Windows Update. Updates delivered through Update Retriever, Thin Installer, and System Update are also not affected. Lenovo installation packages version 1.2.9.3 or later are not affected. "}], "source": {"advisory": "LEN-27431", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2019-6173", "datePublished": "2020-06-09T00:00:00", "dateReserved": "2019-01-11T00:00:00", "dateUpdated": "2020-06-09T19:50:33", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:installation_package:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDFE5768-B111-4090-9680-013B931AD47E", "versionEndExcluding": "1.2.9.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A DLL search path vulnerability could allow privilege escalation in some Lenovo installation packages, prior to version 1.2.9.3, during installation if an attacker already has administrative privileges."}, {"lang": "es", "value": "Una vulnerabilidad de ruta de b\u00fasqueda de DLL podr\u00eda permitir una escalada de privilegios en algunos paquetes de instalaci\u00f3n de Lenovo, versiones anteriores a 1.2.9.3, durante la instalaci\u00f3n si un atacante ya posee privilegios administrativos"}], "id": "CVE-2019-6173", "lastModified": "2020-06-22T15:32:04.143", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2020-06-09T20:15:11.710", "references": [{"source": "psirt@lenovo.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/len-27431"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-426"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}