Vulnerability Description
The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default. This allows unprivileged users to take control of the service and execute commands in the context of NT AUTHORITY\SYSTEM, leading to total system takeover, a similar issue to CVE-2018-12441.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Corsair | Link | 4.9.7.35 |
| Corsair | Axi | - |
| Corsair | Commander Mini | - |
| Corsair | Commander Pro | - |
| Corsair | H100I | - |
| Corsair | H100I Gtx | - |
| Corsair | H100I V2 | - |
| Corsair | H110I | - |
| Corsair | H110I Gt | - |
| Corsair | H110I Gtx | - |
| Corsair | H115I | - |
| Corsair | H80I | - |
| Corsair | H80I Gt | - |
| Corsair | H80I V2 | - |
| Corsair | Hxi | - |
| Corsair | Lighting Node Pro | - |
| Corsair | Rm | - |
| Corsair | Rmi | - |
| Corsair | X99 | - |
Related Weaknesses (CWE)
References
- http://forum.corsair.com/v3/showthread.php?t=155646Release NotesVendor Advisory
- https://github.com/BradyDonovan/CVE-2018-19592/blob/master/CLink4ServiceThird Party Advisory
- http://forum.corsair.com/v3/showthread.php?t=155646Release NotesVendor Advisory
- https://github.com/BradyDonovan/CVE-2018-19592/blob/master/CLink4ServiceThird Party Advisory
FAQ
What is CVE-2018-19592?
CVE-2018-19592 is a vulnerability with a CVSS score of 7.8 (HIGH). The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default. This allows unprivileged users to take control of the service and execute commands in the cont...
How severe is CVE-2018-19592?
CVE-2018-19592 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-19592?
Check the references section above for vendor advisories and patch information. Affected products include: Corsair Link, Corsair Axi, Corsair Commander Mini, Corsair Commander Pro, Corsair H100I.