vendor:
ActivClient
by:
SamAlucard
7.8
CVSS
HIGH
Unquoted Service Path
22
CWE
Product Name: ActivClient
Affected Version From: ActivIdentity 8.2
Affected Version To: ActivIdentity 8.2
Patch Exists: NO
Related CWE: N/A
CPE: a:actividentity:activclient:8.2
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Windows 7 Pro
2021
ActivIdentity 8.2 – ‘ac.sharedstore’ Unquoted Service Path
ActivIdentity 8.2 is a desktop authentication software that uses smarts cards and readers for enterprise, government and commercial establishments. An unquoted service path vulnerability exists in ActivIdentity 8.2, which allows an attacker to gain elevated privileges on the system. The vulnerability is caused by the ac.sharedstore service, which is installed with the ActivIdentity 8.2 software, and is configured to run with LocalSystem privileges. The service is installed with an unquoted service path, which allows an attacker to gain elevated privileges on the system.
Mitigation:
Ensure that all services are installed with a fully qualified path, and that all services are running with the least privileges necessary.
