Title |
Privilege Escalation in Snapview Mikogo |
Product |
Mikogo |
Vulnerable Version |
< 5.10.2 |
Fixed Version |
5.10.2 |
CVE Number |
CVE-2019-12731 |
Impact |
High |
Homepage |
https://www.mikogo.com/ |
The screen sharing software Mikogo by Snapview is affected by a privilege escalation vulnerability, allowing arbitrary users with access to a workstation provided with Mikogo to escalate their privileges and issue arbitrary commands in the context of the SYSTEM user. The vendor provides patched versions of the software which should be installed immediately.
Mikogo is a desktop sharing solution that is ideal for web conferencing, online presentations and remote maintenance. With Mikogo, you can share your screen content with up to 25 participants over the Internet - whatever you see, your participants will see!
Mikogo offers a quick and easy solution for anyone who wants to collaborate online. Mikogo eliminates the need for on-site visits when the same task can be solved online via desktop sharing.
Source (translated): https://www.mikogo.de/downloads/docs/mikogo-product-description.pdf
It was determined that, on Windows Systems, the installed Mikogo screen sharing software allows the local user to escalate his / her privileges to the SYSTEM level, effectively resulting in local administrative privileges.
The local Mikogo service client component is running under system privileges. When the user starts the Mikogo GUI component, this component inherits system privileges from the service component. The GUI component allows to access arbitrary files and to execute other programs which, in turn, will again inherit system privileges. An attacker can exploit this vulnerability in order to escalate his privileges to administrative.
N/A
The reported vulnerability is fixed in software versions 5.10.2 and above. It is recommended to update existing software installations immediately.