Published Product Vulnerabilities
Last updated in November 2023
Contents
CVE-2023-5964
CVEID
CVE-2023-5964
PRODUCT
1E Platform – Exchange Product Pack – End-User Interaction
VERSION
<23
PROBLEM TYPE
Improper Input Validation
REFERENCES
https://exchange.1e.com/product-packs/network/
https://www.1e.com/trust-security-compliance/cve-info/
DESCRIPTION
The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.
To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it with the new instruction 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as “Show %Type% type notification with header %Header% and message %Message%” with a version of 7.1 or above.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ASSIGNING CNA
1E
CVE-2023-45163
CVEID
CVE-2023-45163
PRODUCT
1E Platform – Exchange Product Pack - Network
VERSION
<18.1
PROBLEM TYPE
Improper Input Validation
REFERENCES
https://exchange.1e.com/product-packs/network/
https://www.1e.com/trust-security-compliance/cve-info/
DESCRIPTION
The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.
To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1by uploading it through the 1E Platform instruction upload UI.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ASSIGNING CNA
1E
CVE-2023-45162
CVEID
CVE-2023-45162
PRODUCT
1E Platform
VERSION
– 8.1.2
– 8.4.1
– 9.0.1
– 23.7.1
PROBLEM TYPE
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
REFERENCES
https://www.1e.com/trust-security-compliance/cve-info/
DESCRIPTION
Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.
Application of the relevant hotfix remediates this issue.
for v8.1.2 apply hotfix Q23166
for v8.4.1 apply hotfix Q23164
for v9.0.1 apply hotfix Q23173
SaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this.
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ASSIGNING CNA
1E
CVE-2023-45161
CVEID
CVE-2023-45161
PRODUCT
1E Platform – Exchange Product Pack - Network
VERSION
<20.1
PROBLEM TYPE
Improper Input Validation
REFERENCES
https://exchange.1e.com/product-packs/network/
https://www.1e.com/trust-security-compliance/cve-info/
DESCRIPTION
The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.
To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1by uploading it through the 1E Platform instruction upload UI.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ASSIGNING CNA
1E
CVE-2023-45160
CVEID
CVE-2023-45160
PRODUCT
1E Client for Windows
VERSION
– 8.1.2.62
– 8.4.1.159
– 9.0.1.88
– 23.7.1.151
PROBLEM TYPE
Files or Directories Accessible to External Parties
REFERENCES
https://www.1e.com/trust-security-compliance/cve-info/
DESCRIPTION
In the affected version of the 1E Client, an ordinary user could subvert downloaded instruction resource files, e.g., to substitute a harmful script. by replacing a resource script file created by an instruction at run time with a malicious script. This has been fixed in patch Q23094 as the 1E Client's temporary directory is now locked down.
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ASSIGNING CNA
1E
CVE-2023-45159
CVEID
CVE-2023-45159
PRODUCT
1E Client for Windows
VERSION
– 8.1.2.62
– 8.4.1.159
– 9.0.1.88
– 23.7.1.151
PROBLEM TYPE
Improper Link Resolution Before File Access ('Link Following')
REFERENCES
https://www.1e.com/trust-security-compliance/cve-info/
DESCRIPTION
1E Client installer can perform arbitrary file deletion on protected files. A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup.
A hotfix is available from the 1E support portal that forces the 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID.
for v8.1 use hotfix Q23097
for v8.4 use hotfix Q23105
for v9.0 use hotfix Q23115
for SaaS customers, use 1EClient v23.7 plus hotfix Q23121
ASSIGNING CNA
1E
CVE-2020-16268
CVEID
CVE-2020-16268
PRODUCT
1E Client for Windows
VERSION
– 5.0.x
– 4.1.x
PROBLEM TYPE
Execution with Unnecessary Privileges
REFERENCES
https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645
DESCRIPTION
The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user.
CVSS v3.1 Vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X
https://nvd.nist.gov/vuln/detail/CVE-2020-16268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16268
ASSIGNING CNA
MITRE
CVE-2020-27643
CVEID
CVE-2020-27643
PRODUCT
1E Client for Windows
VERSION
– 5.0.x
– 4.1.x
PROBLEM TYPE
Windows Hard Link
REFERENCES
https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645
DESCRIPTION
The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not normally have access to create or modify files) via the creation of a junction point to a system directory. This leads to partial privilege escalation. This vulnerability can be mitigated by changing the permission of the ProgramData\1E\Client directory so that a standard user does not have the ability to create and modify files.
CVSS v3.1 Vector AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C
https://nvd.nist.gov/vuln/detail/CVE-2020-27643
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27643
ASSIGNING CNA
MITRE
CVE-2020-27644
CVEID
CVE-2020-27644
PRODUCT
1E Client for Windows
VERSION
5.0.x
PROBLEM TYPE
Uncontrolled Search Path Element
REFERENCES
https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645
DESCRIPTION
The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges by placing a malicious file called cryptbase.dll to the C:\Windows\Temp\.
CVSS v3.1 Vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
https://nvd.nist.gov/vuln/detail/CVE-2020-27644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27644
ASSIGNING CNA
MITRE
CVE-2020-27645
CVEID
CVE-2020-27645
PRODUCT
1E Client for Windows
VERSION
5.0.x
PROBLEM TYPE
Uncontrolled Search Path Element
REFERENCES
https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645
DESCRIPTION
The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges.
CVSS v3.1 Vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
https://nvd.nist.gov/vuln/detail/CVE-2020-27645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27645
ASSIGNING CNA
MITRE