Share: Email | Twitter

ID

VDE-2022-015

Published

2022-04-27 14:00 (CEST)

Last update

2022-04-27 17:06 (CEST)

Vendor(s)

Miele & Cie KG

Product(s)

Article No┬░ Product Name Affected Version(s)
Benchmark Programming Tool <= 1.2.71

Summary

The Miele Benchmark Programming Tool on a Microsoft Windows operating system, selects a folder by default upon installation that is writable for all users (C:\\MIELE_SERVICE). After the installation of the tool, users without administrative privileges are able to exchange or delete executable files in this path.


Weakness

Improper Privilege Management  (CWE-269) 

Summary

In Miele Benchmark Programming Tool with versions Prior to 1.2.71, executable files manipulated by attackers are unknowingly executed by users with administrative privileges. An attacker could thereby obtain higher permissions. The attacker must already have access to the corresponding local system to be able to exchange the files.


Solution

A new version (1.2.72) of the Benchmark Programming Tool, which closes the named vulnerability, is available for download on the Miele website: https://www.miele.de/p/miele-benchmark-programming-tool-2296.htm

Remediation

As a further risk-minimizing measure, the write permissions of the installation folder C:\\Miele_Service\\ Miele Benchmark Programming Tool can be adjusted so that an exchange of files is only possible with administrative permissions. This is also possible without reinstalling or updating the tool. The procedure for adjusting the permissions depends on the Microsoft Windows operating system environment used and in most cases requires administrative rights.

Reported by

CERT@VDE coordinated with Miele PSIRT

SEC Consult Vulnerability Lab identified and reported the vulnerability to Miele PSIRT.