SES Evolution agent arbitrary file creation (CVE-2023-35799)
| Advisory ID | CVE Number | Date discovered | Severity | Advisory revision |
|---|---|---|---|---|
| STORM-2023-022 | CVE-2023-35799 | 06/14/2023 | low | v1 |
Vulnerability details
An interactive user can use the SES Evolution agent to create an arbitrary file with local system privileges.
Impacted products
| Products | Severity | Detail |
|---|---|---|
| Stormshield Endpoint Security | low | SES is impacted |
Revisions
| Version | Date | Description |
|---|---|---|
| v1 | Initial release |
Stormshield Endpoint Security |
CVSS v3.1 Overall Score: 3.4
|
Analysis |
Impacted version |
|
An interactive user can use the SES Evolution agent to create arbitrary files with local system privileges. This does not allow to replace existing files and does not allow to control the create file contents. This allows to cause denial of service for arbitrary components, including system processes and SES Evolution agent processes. |
|
Workaround solution |
Solution |
|
There is no workaround solution. |
The 2.4.1 update fixes this vulnerability. |
| Attack Vector | Attack Complexity | Privileges Required | User Interaction | Scope | Confidentiality Impact | Integrity Impact | Availability impact |
|---|---|---|---|---|---|---|---|
| Local | Low | Low | None | Unchanged | None | None | High |
| CVSS Base score: 5.5 | CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) |
| Exploit Code Maturity | Remediation Level | Report Confidence |
|---|---|---|
| Proof of concept code | Official fix | Confirmed |
| CVSS Temporal score: 5 | CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C) |
| Confidentiality Requirement | Integrity Requirement | Availability Requirement |
|---|---|---|
| Low | Low | Low |
| CVSS Environmental score: 3.4 | CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X) |