Vulnerability Description
STRATO HiDrive Desktop Client 5.0.1.0 for Windows suffers from a SYSTEM privilege escalation vulnerability through the HiDriveMaintenanceService service. This service establishes a NetNamedPipe endpoint that allows applications to connect and call publicly exposed methods. An attacker can inject and execute code by hijacking the insecure communications with the service. This vulnerability also affects Telekom MagentaCLOUD through 5.7.0.0 and 1&1 Online Storage through 6.1.0.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Strato | Hidrive Desktop Client | <= 5.0.1.0 |
| Telekom | Magentacloud | <= 5.7.0.0 |
| Ionos | 1\&1 Online Storage | <= 6.1.0.0 |
Related Weaknesses (CWE)
References
- https://zer0-day.pw/articles/2019-04/HiDrive-LPE-via-Insecure-WCF-endpointExploitThird Party Advisory
- https://zer0-day.pw/articles/2019-04/HiDrive-LPE-via-Insecure-WCF-endpointExploitThird Party Advisory
FAQ
What is CVE-2019-9486?
CVE-2019-9486 is a vulnerability with a CVSS score of 8.8 (HIGH). STRATO HiDrive Desktop Client 5.0.1.0 for Windows suffers from a SYSTEM privilege escalation vulnerability through the HiDriveMaintenanceService service. This service establishes a NetNamedPipe endpoi...
How severe is CVE-2019-9486?
CVE-2019-9486 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-9486?
Check the references section above for vendor advisories and patch information. Affected products include: Strato Hidrive Desktop Client, Telekom Magentacloud, Ionos 1\&1 Online Storage.