CVE-2019-18631
HIGHCentrify Authentication and Privilege Elevation Services <3.6.0 - RCE
Title source: llmDescription
The Windows component of Centrify Authentication and Privilege Elevation Services 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1 (18.8), 3.5.2 (18.11), and 3.6.0 (19.6) does not properly handle an unspecified exception during use of partially trusted assemblies to serialize input data, which allows attackers to execute arbitrary code inside the Centrify process via (1) a crafted application that makes a pipe connection to the process and sends malicious serialized data or (2) a crafted Microsoft Management Console snap-in control file.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://centrify.force.com/support/Article/KB-22420-Centrify-Agent-for-Windows-Remote-Code-Execution-Vulnerability
Scores
CVSS v3
7.8
EPSS
0.0118
EPSS Percentile
63.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (16)
centrify/authentication_service
3.4.0
centrify/authentication_service
3.4.1
centrify/authentication_service
3.4.2
centrify/authentication_service
3.4.3
centrify/authentication_service
3.5.0
centrify/authentication_service
3.5.1
centrify/authentication_service
3.5.2
centrify/authentication_service
3.6.0
centrify/privilege_elevation_service
3.4.0
centrify/privilege_elevation_service
3.4.1
... and 6 more
Published
Nov 05, 2019
Tracked Since
Feb 18, 2026