Cybersecurity

23 readers

61 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

founded 2 years ago

MODERATORS

[email protected]

Disclosing details of a #vulnerability I discovered 1 year ago: (fedia.io)

submitted 2 months ago by [email protected] to c/[email protected]

0 comments fedilink hide all child comments

Disclosing details of a #vulnerability I discovered 1 year ago:

N-able Ecosystem Agent Improper Certificate Validation #CVE_2024_5445 vulnerability leads to #RCE as SYSTEM user.

Vulnerability details: https://sintonen.fi/advisories/n-able-ecosystem-agent-improper-certificate-validation.txt

N-able has rated this vulnerability CVSS 3.8, but the practical impact of this vulnerability is grave as it allows attackers in privileged network position to fully compromise vulnerable systems. While arguing for such low score N-able presentative stated that: "The vulnerability reported does not constitute an RCE, the Ecosystem agent is designed to run installation packages in a privileged context and the agent is doing what it should do when it receives such packages to install over the APIs."

I think this is somewhat disingenuous.

#infosec #cybersecurity

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here