CVE-2021-44750 - OpenCVE

An arbitrary code execution vulnerability was found in the F-Secure Support Tool. A standard user can craft a special configuration file, which when run by administrator can execute any commands.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
F-secure	Email And Server Security Client Security Server Security Elements Countercept
Microsoft	Windows

Configuration 1 [-]

AND

OR	cpe:2.3:a:f-secure:client_security:-:::::::*
	cpe:2.3:a:f-secure:countercept:-:::::::*
	cpe:2.3:a:f-secure:elements:-:::::::*
	cpe:2.3:a:f-secure:email_and_server_security:-:::::::*
	cpe:2.3:a:f-secure:server_security:-:::::::*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.f-secure.com/en/business/support-and-downloads/security-advisories	Vendor Advisory
https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-44750	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: F-SecureUS

Published: 2022-03-09T11:38:29

Updated: 2022-03-09T16:56:20

Reserved: 2021-12-08T00:00:00

Link: CVE-2021-44750

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-10T17:44:23.660

Modified: 2022-03-15T16:44:24.350

Link: CVE-2021-44750

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "F-Secure Elements Agent, F-Secure MDR, F-Secure Client Security, F-Secure Server Security, F-Secure Email and Server Security, F-Secure Freedome VPN, F-Secure SAFE, F-Secure KEY, and F-Secure Internet Security / Anti-Virus", "vendor": "F-Secure", "versions": [{"status": "affected", "version": "All Version "}]}], "descriptions": [{"lang": "en", "value": "An arbitrary code execution vulnerability was found in the F-Secure Support Tool. A standard user can craft a special configuration file, which when run by administrator can execute any commands."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Arbitrary Code Execution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-09T16:56:20", "orgId": "126858f1-1b65-4b74-81ca-7034f7f7723f", "shortName": "F-SecureUS"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"}, {"tags": ["x_refsource_MISC"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-44750"}], "solutions": [{"lang": "en", "value": "MITIGATION FACTOR\nUser interaction is required prior to exploitation. Administrative privileges is required to run arbitrary commands in the system."}], "source": {"discovery": "EXTERNAL"}, "title": "Arbitrary Code Execution", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-notifications-us@f-secure.com", "ID": "CVE-2021-44750", "STATE": "PUBLIC", "TITLE": "Arbitrary Code Execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "F-Secure Elements Agent, F-Secure MDR, F-Secure Client Security, F-Secure Server Security, F-Secure Email and Server Security, F-Secure Freedome VPN, F-Secure SAFE, F-Secure KEY, and F-Secure Internet Security / Anti-Virus", "version": {"version_data": [{"version_affected": "=", "version_value": "All Version "}]}}]}, "vendor_name": "F-Secure"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An arbitrary code execution vulnerability was found in the F-Secure Support Tool. A standard user can craft a special configuration file, which when run by administrator can execute any commands."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Arbitrary Code Execution"}]}]}, "references": {"reference_data": [{"name": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories", "refsource": "MISC", "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"}, {"name": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-44750", "refsource": "MISC", "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-44750"}]}, "solution": [{"lang": "en", "value": "MITIGATION FACTOR\nUser interaction is required prior to exploitation. Administrative privileges is required to run arbitrary commands in the system."}], "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "126858f1-1b65-4b74-81ca-7034f7f7723f", "assignerShortName": "F-SecureUS", "cveId": "CVE-2021-44750", "datePublished": "2022-03-09T11:38:29", "dateReserved": "2021-12-08T00:00:00", "dateUpdated": "2022-03-09T16:56:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f-secure:client_security:-:*:*:*:*:*:*:*", "matchCriteriaId": "9EB0299E-30A5-48CF-9159-CB7E06B9BE02", "vulnerable": true}, {"criteria": "cpe:2.3:a:f-secure:countercept:-:*:*:*:*:*:*:*", "matchCriteriaId": "FA293BE9-69E6-4C20-A1D5-F9CC1B73BB80", "vulnerable": true}, {"criteria": "cpe:2.3:a:f-secure:elements:-:*:*:*:*:*:*:*", "matchCriteriaId": "49A48B56-5C57-4F22-ABC1-E99806B5CA34", "vulnerable": true}, {"criteria": "cpe:2.3:a:f-secure:email_and_server_security:-:*:*:*:*:*:*:*", "matchCriteriaId": "6A6261AA-513C-4DD0-9B2F-1A693BED2C48", "vulnerable": true}, {"criteria": "cpe:2.3:a:f-secure:server_security:-:*:*:*:*:*:*:*", "matchCriteriaId": "3FB84F1D-04A3-4E66-BF74-ED3D4297A048", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An arbitrary code execution vulnerability was found in the F-Secure Support Tool. A standard user can craft a special configuration file, which when run by administrator can execute any commands."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario en la herramienta de soporte de F-Secure. Un usuario est\u00e1ndar puede dise\u00f1ar un archivo de configuraci\u00f3n especial, que cuando es ejecutado por el administrador puede ejecutar cualquier comando"}], "id": "CVE-2021-44750", "lastModified": "2022-03-15T16:44:24.350", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "cve-notifications-us@f-secure.com", "type": "Secondary"}]}, "published": "2022-03-10T17:44:23.660", "references": [{"source": "cve-notifications-us@f-secure.com", "tags": ["Vendor Advisory"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"}, {"source": "cve-notifications-us@f-secure.com", "tags": ["Vendor Advisory"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-44750"}], "sourceIdentifier": "cve-notifications-us@f-secure.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}