Sign-up

ID

VAR-201906-0576


CVE

CVE-2019-12280


TITLE

PC-Doctor Toolbox Vulnerabilities in uncontrolled search path elements

Trust: 0.8

sources: JVNDB: JVNDB-2019-005720

DESCRIPTION

PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element. PC-Doctor Toolbox Contains a vulnerability related to uncontrolled search path elements.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PC-Doctor for Windows is prone to an arbitrary code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial of service condition. PC-Doctor Toolbox is a hardware diagnostic and system information monitoring tool developed by PC-Doctor Toolbox in the United States. A security vulnerability exists in PC-Doctor Toolbox versions prior to 7.3. Full Disclosure I. VULNERABILITY ------------------------- Uncontrolled search path element vulnerability in PC-Doctor Toolbox prior to version 7.3 allows local users to gain privileges and conduct DLL hijacking attacks via a trojan horse DLL located in an unsecured directory which has been added to the PATH environment variable. II. CVE REFERENCE ------------------------- CVE-2019-12280 III. VENDOR ------------------------- PC-Doctor, Inc. IV. Affected Products ------------------------- PC-Doctor Toolbox for Windows Also re-branded as: CORSAIR ONE Diagnostics CORSAIR Diagnostics Staples EasyTech Diagnostics Tobii I-Series Diagnostic Tool Tobii Dynavox Diagnostic Tool V. TIMELINE ------------------------- May 03, 2019 Vulnerability reported to PC-Doctor, Inc. May 04, 2019 Vulnerability confirmed by PC-Doctor, Inc. May 17, 2019 PC-Doctor, Inc. identified additional attack vectors in third party dependencies. June 11, 2019 PC-Doctor Toolbox for Windows 7.3 released to OEM customers for testing. June 12, 2019 PC-Doctor Toolbox for Windows 7.3 released to retail end-users. June 19, 2019 Disclosure published. VI. CREDIT ------------------------- Peleg Hadar from SafeBreach, Inc. VII. SOLUTION ------------------------- Upgrade to version 7.3 of PC-Doctor Toolbox (or re-branded products)

Trust: 2.07

sources: NVD: CVE-2019-12280 // JVNDB: JVNDB-2019-005720 // BID: 108880 // VULHUB: VHN-144011 // PACKETSTORM: 153374

AFFECTED PRODUCTS

vendor:pc doctormodel:toolboxscope:ltversion:7.3

Trust: 1.8

vendor:dellmodel:supportassist for home pcsscope:eqversion:3.2.2

Trust: 1.0

vendor:dellmodel:supportassist for business pcsscope:eqversion:2.0.1

Trust: 1.0

vendor:dellmodel:supportassist for business pcsscope: - version: -

Trust: 0.8

vendor:pc doctormodel:pc-doctor for windowscope:eqversion:0

Trust: 0.3

vendor:dellmodel:supportassist for home pcsscope:eqversion:3.2.1

Trust: 0.3

vendor:dellmodel:supportassist for business pcsscope:eqversion:2.0

Trust: 0.3

vendor:dellmodel:supportassist for home pcsscope:neversion:3.2.2

Trust: 0.3

vendor:dellmodel:supportassist for business pcsscope:neversion:2.0.1

Trust: 0.3

sources: BID: 108880 // JVNDB: JVNDB-2019-005720 // NVD: CVE-2019-12280

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12280
value: HIGH

Trust: 1.0

NVD: CVE-2019-12280
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201906-931
value: HIGH

Trust: 0.6

VULHUB: VHN-144011
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-12280
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144011
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12280
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-144011 // JVNDB: JVNDB-2019-005720 // CNNVD: CNNVD-201906-931 // NVD: CVE-2019-12280

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.9

sources: VULHUB: VHN-144011 // JVNDB: JVNDB-2019-005720 // NVD: CVE-2019-12280

THREAT TYPE

local

Trust: 0.9

sources: BID: 108880 // CNNVD: CNNVD-201906-931

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201906-931

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005720

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-144011

PATCH
title:PC-Doctor Responds to Software Vulnerability Reporturl:http://www.pc-doctor.com/company/pr-articles/130-pc-doctor-responds-to-software-vulnerability-report
Trust: 0.8
title:DSA-2019-084url:https://www.dell.com/support/article/il/en/ilbsdt1/sln317291/dsa-2019-084-dell-supportassist-for-business-pcs-and-dell-supportassist-for-home-pcs-security-update-for-pc-doctor-vulnerability?lang=en
Trust: 0.8
title:PC-Doctor Toolbox Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94061
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-005720 // 
            
            
            
            CNNVD: CNNVD-201906-931

EXTERNAL IDS
db:NVDid:CVE-2019-12280
Trust: 2.9
db:BIDid:108880
Trust: 2.0
db:PACKETSTORMid:153374
Trust: 1.8
db:JVNDBid:JVNDB-2019-005720
Trust: 0.8
db:CNNVDid:CNNVD-201906-931
Trust: 0.7
db:VULHUBid:VHN-144011
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144011 // 
            
            
            
            BID: 108880 // 
            
            
            
            JVNDB: JVNDB-2019-005720 // 
            
            
            
            PACKETSTORM: 153374 // 
            
            
            
            CNNVD: CNNVD-201906-931 // 
            
            
            
            NVD: CVE-2019-12280

REFERENCES
url:https://seclists.org/fulldisclosure/2019/jun/29
Trust: 3.4
url:https://www.us-cert.gov/ncas/current-activity/2019/06/21/dell-releases-security-advisory-dell-supportassist
Trust: 2.5
url:http://www.pc-doctor.com/company/pr-articles/130-pc-doctor-responds-to-software-vulnerability-report
Trust: 2.0
url:http://www.securityfocus.com/bid/108880
Trust: 1.7
url:http://packetstormsecurity.com/files/153374/pc-doctor-toolbox-dll-hijacking.html
Trust: 1.7
url:https://safebreach.com/press-post/safebreach-identifies-serious-vulnerability-in-pc-doctor-software
Trust: 1.7
url:https://www.dell.com/support/article/il/en/ilbsdt1/sln317291/dsa-2019-084-dell-supportassist-for-business-pcs-and-dell-supportassist-for-home-pcs-security-update-for-pc-doctor-vulnerability?lang=en
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-12280
Trust: 1.5
url:https://safebreach.com/post/oem-software-puts-multiple-laptops-at-risk
Trust: 0.9
url:https://www.dell.com/support/article/us/en/04/sln317291/dsa-2019-084-dell-supportassist-for-business-pcs-and-dell-supportassist-for-home-pcs-security-update-for-pc-doctor-vulnerability?lang=en
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12280
Trust: 0.8
url:http://www.pc-doctor.com
Trust: 0.3
sources:
            
            
            VULHUB: VHN-144011 // 
            
            
            
            BID: 108880 // 
            
            
            
            JVNDB: JVNDB-2019-005720 // 
            
            
            
            PACKETSTORM: 153374 // 
            
            
            
            CNNVD: CNNVD-201906-931 // 
            
            
            
            NVD: CVE-2019-12280

CREDITS
Peleg Hadar
Trust: 1.0
sources:
            
            
            BID: 108880 // 
            
            
            
            PACKETSTORM: 153374 // 
            
            
            
            CNNVD: CNNVD-201906-931

SOURCES
db:VULHUBid:VHN-144011
db:BIDid:108880
db:JVNDBid:JVNDB-2019-005720
db:PACKETSTORMid:153374
db:CNNVDid:CNNVD-201906-931
db:NVDid:CVE-2019-12280

LAST UPDATE DATE
2024-11-23T22:33:50.709000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144011date:2019-06-26T00:00:00
db:BIDid:108880date:2019-06-20T00:00:00
db:JVNDBid:JVNDB-2019-005720date:2019-06-27T00:00:00
db:CNNVDid:CNNVD-201906-931date:2019-06-27T00:00:00
db:NVDid:CVE-2019-12280date:2024-11-21T04:22:33.390

SOURCES RELEASE DATE
db:VULHUBid:VHN-144011date:2019-06-25T00:00:00
db:BIDid:108880date:2019-06-20T00:00:00
db:JVNDBid:JVNDB-2019-005720date:2019-06-27T00:00:00
db:PACKETSTORMid:153374date:2019-06-20T13:33:33
db:CNNVDid:CNNVD-201906-931date:2019-06-25T00:00:00
db:NVDid:CVE-2019-12280date:2019-06-25T21:15:09.733