CVE-2017-6466
HIGHF-Secure Software Updater 2.20 - Unauthenticated Arbitrary Code Execution via Man-in-the-Middle File Replacement
Title source: llmDescription
F-Secure Software Updater 2.20, as distributed in several F-Secure products, downloads installation packages over plain http and does not perform file integrity validation after download. Man-in-the-middle attackers can replace the file with their own executable which will be executed under the SYSTEM account. Note that when Software Updater is configured to install updates automatically, it checks if the downloaded file is digitally signed by default, but does not check the author of the signature. When running in manual mode (default), no signature check is performed.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/fulldisclosure/2017/Mar/28
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96784
Scores
CVSS v3
8.1
EPSS
0.0154
EPSS Percentile
71.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (1)
f-secure/software_updater
2.20
Published
Mar 11, 2017
Tracked Since
Feb 18, 2026