Details of VAR-202308-3003

ID

VAR-202308-3003

CVE

CVE-2023-27362

TITLE

3CX Uncontrolled Search Path Local Privilege Escalation Vulnerability

Trust: 0.7

sources: ZDI: ZDI-23-1153

DESCRIPTION

3CX Uncontrolled Search Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of 3CX. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-20026

Trust: 1.53

sources: NVD: CVE-2023-27362 // ZDI: ZDI-23-1153

AFFECTED PRODUCTS

vendor:

3cx

model:

3cx

scope:

version:

Trust: 0.7

sources: ZDI: ZDI-23-1153

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-27362
value:	HIGH
Trust: 1.0
ZDI:	CVE-2023-27362
value:	CRITICAL
Trust: 0.7

zdi-disclosures@trendmicro.com:	CVE-2023-27362
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	5.9
version:	3.0
Trust: 1.0
ZDI:	CVE-2023-27362
baseSeverity:	CRITICAL
baseScore:	7.0
vectorString:	AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-1153 // NVD: CVE-2023-27362

PROBLEMTYPE DATA

problemtype:

CWE-427

Trust: 1.0

sources: NVD: CVE-2023-27362

PATCH

title:

3CX has issued an update to correct this vulnerability.

url:

https://www.3cx.com/blog/releases/v18-u8/

Trust: 0.7

sources: ZDI: ZDI-23-1153

EXTERNAL IDS

db:	NVD	id:	CVE-2023-27362	Trust: 1.7
db:	ZDI	id:	ZDI-23-1153	Trust: 1.7
db:	ZDI_CAN	id:	ZDI-CAN-20026	Trust: 0.7

sources: ZDI: ZDI-23-1153 // NVD: CVE-2023-27362

REFERENCES

url:	https://www.3cx.com/blog/releases/v18-u8/	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-23-1153/	Trust: 1.0

sources: ZDI: ZDI-23-1153 // NVD: CVE-2023-27362

CREDITS

Xavier DANEST

Trust: 0.7

sources: ZDI: ZDI-23-1153

SOURCES

db:	ZDI	id:	ZDI-23-1153
db:	NVD	id:	CVE-2023-27362

LAST UPDATE DATE

2024-08-14T14:30:19.218000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-1153	date:	2023-08-21T00:00:00
db:	NVD	id:	CVE-2023-27362	date:	2024-05-03T12:50:34.250

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-1153	date:	2023-08-21T00:00:00
db:	NVD	id:	CVE-2023-27362	date:	2024-05-03T02:15:14.350