Vulnerability Description
A Windows privilege change issue was discovered in Splashtop Software Updater before 1.5.6.16. Insecure permissions on the configuration file and named pipe allow for local privilege escalation to NT AUTHORITY/SYSTEM, by forcing a permission change to any Splashtop files and directories, with resultant DLL hijacking. This product is bundled with Splashtop Streamer (before 3.3.8.0) and Splashtop Business (before 3.3.8.0).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Splashtop | Software Updater | < 1.5.6.16 |
| Splashtop | Streamer | < 3.3.8.0 |
Related Weaknesses (CWE)
References
- https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-splashtop-sExploitThird Party Advisory
- https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/360042648231-SRelease NotesVendor Advisory
- https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-splashtop-sExploitThird Party Advisory
- https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/360042648231-SRelease NotesVendor Advisory
FAQ
What is CVE-2020-12431?
CVE-2020-12431 is a vulnerability with a CVSS score of 6.6 (MEDIUM). A Windows privilege change issue was discovered in Splashtop Software Updater before 1.5.6.16. Insecure permissions on the configuration file and named pipe allow for local privilege escalation to NT ...
How severe is CVE-2020-12431?
CVE-2020-12431 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-12431?
Check the references section above for vendor advisories and patch information. Affected products include: Splashtop Software Updater, Splashtop Streamer.