Share: Email | Twitter

ID

VDE-2022-015

Published

2022-04-27 14:00 (CEST)

Last update

2022-04-27 17:06 (CEST)

Vendor(s)

Miele & Cie KG

Product(s)

Article No┬░ Product Name Affected Version(s)
Benchmark Programming Tool <= 1.2.71

Summary

The Miele Benchmark Programming Tool on a Microsoft Windows operating system, selects a folder by default upon installation that is writable for all users (C:\\MIELE_SERVICE). After the installation of the tool, users without administrative privileges are able to exchange or delete executable files in this path.


Last Update:

Nov. 17, 2022, 11:18 a.m.

Weakness

Improper Privilege Management  (CWE-269) 

Summary

In Miele Benchmark Programming Tool with versions Prior to 1.2.71, executable files manipulated by attackers are unknowingly executed with users privileges. An attacker with low privileges may trick a user with administrative privileges to execute these binaries as admin.

Solution

A new version (1.2.72) of the Benchmark Programming Tool, which closes the named vulnerability, is available for download on the Miele website: https://www.miele.de/p/miele-benchmark-programming-tool-2296.htm

Remediation

As a further risk-minimizing measure, the write permissions of the installation folder C:\\Miele_Service\\ Miele Benchmark Programming Tool can be adjusted so that an exchange of files is only possible with administrative permissions. This is also possible without reinstalling or updating the tool. The procedure for adjusting the permissions depends on the Microsoft Windows operating system environment used and in most cases requires administrative rights.

Reported by

CERT@VDE coordinated with Miele PSIRT

SEC Consult Vulnerability Lab identified and reported the vulnerability to Miele PSIRT.