Centrify Authentication and Privilege Elevation Services 3.4.0 Deserialization of Untrusted Data Vulnerability

Summary

The Windows component of Centrify Authentication and Privilege Elevation Services 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1 (18.8), 3.5.2 (18.11), and 3.6.0 (19.6) do not properly handle an unspecified exception during use of partially trusted assemblies to serialize input data.

Credit:

The information has been provided by Vendor

The original article can be found at:https://centrify.force.com/support/Article/KB-22420-Centrify-Agent-for-Windows-Remote-Code-Execution-Vulnerability

 


Details

Allows attackers to execute arbitrary code inside the Centrify process via a crafted application that makes a pipe connection to the process and sends malicious serialized data or a crafted Microsoft Management Console snap-in control file.

 

Vulnerable Systems:

Centrify Authentication and Privilege Elevation Services 3.4.0 to 3.4.3

Centrify Authentication and Privilege Elevation Services 3.5.0 to 3.5.2 (18.11)

Centrify Authentication and Privilege Elevation Services 3.6.0 (19.6) 

 

CVE Information:

CVE-2019-18631

 

Disclosure Timeline:
Published Date:11/5/2019