Security Bulletins

1E-2020-2004

Privilege escalation in 1E client

Bulletin ID
1E-2020-2004
Issue Date
Dec 29, 2020
Last Update
Dec 29, 2020
Priority
Important
CVSS
8.8 (High)
Assigned CVE
CVE-2020-16268
Affected Products
1E Client for Windows

1. Vulnerability Details

CVE-ID

CVE-2020-16268

Description

The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user.

CVSS3.1 Score

Base Score 8.8 (High)

CVSS3.1 Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem type

CWE 668: Execution with Unnecessary Privileges

2. Affected products and versions

Product
Versions

1E Client for Windows

5.0.x

1E Client for Windows

4.1.x

Do you want to report a security issue?

TeamViewer’s security team will investigate every submission in our Vulnerability Disclosure Program.