CVE-2022-29908 The Fabasoft Cloud Enterprise Client service allows local privilege escalation.
This is a very dangerous issue. It allows users to perform an action that is restricted to administrators, such as changing the password on a system, with the privileges of a user. To prevent this issue, Fabasoft Cloud Enterprise provides the “Lock user after login” policy. It enforces the administrator to grant permissions after the user logs in, so that no user can change the password of another user.
However, despite this security measure, Fabasoft Cloud Enterprise provides a remote service that allows Local Privilege Escalation. This service allows users to change the password of any other user. This issue can be exploited by an attacker to change the password of a user with administrator privileges, without being noticed by the administrator. This issue affects all users of the system that have the “Lock user after login” policy enabled, so that no administrator can be sure that users cannot change the password of another user.
The vulnerability
The vulnerability allows a user with administrator privileges to change the password of another user without the administrator being aware. This can result in the attacker gaining control of administrative privileges on the system.
Description of the issue
An issue has been identified in the remote service that allows Local Privilege Escalation. This service allows users to change the password of any other user.
This issue affects all users of the system that have the “Lock user after login” policy enabled, so that no administrator can be sure that users cannot change the password of another user. This is a very dangerous issue because it allows users to perform an action with privileges that are restricted only to administrators.
Remote Code Execution
The issue is about the remote service that allows Local Privilege Escalation. When this service is used, an attacker can change the password of a user with administrator privileges, without being noticed by the administrator. This allows an attacker to modify a system with malicious intentions.
Summary of The Issue
This is a very dangerous issue. It allows users to perform an action that is restricted to administrators, such as changing the password on a system, with the privileges of a user. To prevent this issue, Fabasoft Cloud Enterprise provides the “Lock user after login” policy. This prevents any administrator from performing certain actions such as changing the password for another administrator. However, despite this security measure, Fabasoft Cloud Enterprise provides a remote service that allows Local Privilege Escalation. This service allows users to change the password of any other user. This issue can be exploited by an attacker to change the password of a user with administrator privileges, without being noticed by the administrator.
Timeline
Published on: 09/19/2022 16:15:00 UTC
Last modified on: 09/21/2022 15:40:00 UTC