CVE-2016-20033 — HIGH (7.8)

Vulnerability Description

Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Wowza	Streaming Engine	4.5.0

Related Weaknesses (CWE)

CWE-639

References

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5339.phpExploitThird Party Advisory
https://www.exploit-db.com/exploits/40132ExploitThird Party AdvisoryVDB Entry
https://www.vulncheck.com/advisories/wowza-streaming-engine-local-privilege-escaThird Party Advisory

FAQ

What is CVE-2016-20033?

CVE-2016-20033 is a vulnerability with a CVSS score of 7.8 (HIGH). Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions g...

How severe is CVE-2016-20033?

CVE-2016-20033 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-20033?

Check the references section above for vendor advisories and patch information. Affected products include: Wowza Streaming Engine.