Lucene search

[email protected]CVE-2018-17612

HistoryNov 09, 2018 - 9:29 p.m.

CVE-2018-17612

2018-11-0921:29:00

CWE-295

[email protected]

web.nvd.nist.gov

cve-2018-17612

sennheiser

headsetup

certification authority

remote attackers

spoofing

web sites

software publishers

vulnerability

nvd

security advisory

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.4 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

75.1%

JSON

Sennheiser HeadSetup 7.3.4903 places Certification Authority (CA) certificates into the Trusted Root CA store of the local system, and publishes the private key in the SennComCCKey.pem file within the public software distribution, which allows remote attackers to spoof arbitrary web sites or software publishers for several years, even if the HeadSetup product is uninstalled. NOTE: a vulnerability-assessment approach must check all Windows systems for CA certificates with a CN of 127.0.0.1 or SennComRootCA, and determine whether those certificates are unwanted.

CPENameOperatorVersion
sennheiser:headsetupsennheiser headsetupeq7.3.4903
microsoft:windows_server_2008microsoft windows server 2008eqr2
microsoft:windows_server_2012microsoft windows server 2012eqr2
microsoft:windows_10microsoft windows 10eq1607
microsoft:windows_8.1microsoft windows 8.1eq-
microsoft:windows_server_2016microsoft windows server 2016eq-
microsoft:windows_server_2008microsoft windows server 2008eq-
microsoft:windows_7microsoft windows 7eq-
microsoft:windows_rt_8.1microsoft windows rt 8.1eq-
microsoft:windows_10microsoft windows 10eq1703

CPE	Name	Operator	Version
sennheiser:headsetup	sennheiser headsetup	eq	7.3.4903
microsoft:windows_server_2008	microsoft windows server 2008	eq	r2
microsoft:windows_server_2012	microsoft windows server 2012	eq	r2
microsoft:windows_10	microsoft windows 10	eq	1607
microsoft:windows_8.1	microsoft windows 8.1	eq	-
microsoft:windows_server_2016	microsoft windows server 2016	eq	-
microsoft:windows_server_2008	microsoft windows server 2008	eq	-
microsoft:windows_7	microsoft windows 7	eq	-
microsoft:windows_rt_8.1	microsoft windows rt 8.1	eq	-
microsoft:windows_10	microsoft windows 10	eq	1703

Rows per page:

1-10 of 181

References

www.securityfocus.com/bid/106045

portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180029

www.secorvo.de/publikationen/headsetup-vulnerability-report-secorvo-2018.pdf

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.4 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

75.1%

JSON

Related for CVE-2018-17612

prion1 mscve1 threatpost1