Security Bulletin: Issue in RCE in PCOMM Service through unprotected named pipe

Summary

There is a vulnerability in IBM Personal Communications (PCOMM). Personal Communications has addressed the applicable CVE through version update.

Vulnerability Details

CVEID:CVE-2024-25029
**DESCRIPTION:**IBM Personal Communications 15.0.1 includes a Windows service that is vulnerable to remote code execution (RCE) and local privilege escalation (LPE). The vulnerability allows any unprivileged user with network access to a target computer to run commands with full privileges in the context of NT AUTHORITY\SYSTEM. This allows for a low privileged attacker to move laterally to affected systems and to escalate their privileges.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281619 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

14.0.5 – 14.06_iFix001

PCOMM|

15.0 – 15.01

Remediation/Fixes

For Client Fix

Upgrade to fixed updated PCOMM version from the following location:

PCOMM v14.0.7:
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=14.0.7&platform=Windows&function=all

PCOMM v15.0.2 :
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Personal+Communications&release=15.0.2&platform=Windows&function=all

Workarounds and Mitigations

None