Sign-up

ID

VAR-201802-1251


CVE

CVE-2018-7484


TITLE

PureVPN Vulnerabilities related to untrusted search paths

Trust: 0.8

sources: JVNDB: JVNDB-2018-002319

DESCRIPTION

An issue was discovered in PureVPN through 5.19.4.0 on Windows. The client installation grants the Everyone group Full Control permission to the installation directory. In addition, the PureVPNService.exe service, which runs under NT Authority\SYSTEM privileges, tries to load several dynamic-link libraries using relative paths instead of the absolute path. When not using a fully qualified path, the application will first try to load the library from the directory from which the application is started. As the residing directory of PureVPNService.exe is writable to all users, this makes the application susceptible to privilege escalation through DLL hijacking. PureVPN Contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PureVPN is a paid VPN service. There is a privilege escalation vulnerability in 5.19.4.0 and earlier versions of PureVPN for Windows

Trust: 2.16

sources: NVD: CVE-2018-7484 // JVNDB: JVNDB-2018-002319 // CNVD: CNVD-2018-06301

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-06301

AFFECTED PRODUCTS

vendor:purevpnmodel:purevpnscope:eqversion:5.19.4.0

Trust: 1.6

vendor:purevpnmodel:purevpnscope:lteversion:5.19.4.0

Trust: 0.8

vendor:purevpnmodel:purevpnscope:lteversion:<=5.19.4.0

Trust: 0.6

sources: CNVD: CNVD-2018-06301 // JVNDB: JVNDB-2018-002319 // CNNVD: CNNVD-201802-654 // NVD: CVE-2018-7484

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-7484
value: HIGH

Trust: 1.0

NVD: CVE-2018-7484
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-06301
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201802-654
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2018-7484
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-06301
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-7484
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-06301 // JVNDB: JVNDB-2018-002319 // CNNVD: CNNVD-201802-654 // NVD: CVE-2018-7484

PROBLEMTYPE DATA

problemtype:CWE-426

Trust: 1.8

sources: JVNDB: JVNDB-2018-002319 // NVD: CVE-2018-7484

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201802-654

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201802-654

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-002319

PATCH
title:Top Pageurl:https://www.purevpn.com/jp/
Trust: 0.8
title:Patch for PureVPNWindows Privilege Escalation Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/123339
Trust: 0.6
title:PureVPN for Windows Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78664
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-06301 // 
            
            
            
            JVNDB: JVNDB-2018-002319 // 
            
            
            
            CNNVD: CNNVD-201802-654

EXTERNAL IDS
db:NVDid:CVE-2018-7484
Trust: 3.0
db:JVNDBid:JVNDB-2018-002319
Trust: 0.8
db:CNVDid:CNVD-2018-06301
Trust: 0.6
db:CNNVDid:CNNVD-201802-654
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-06301 // 
            
            
            
            JVNDB: JVNDB-2018-002319 // 
            
            
            
            CNNVD: CNNVD-201802-654 // 
            
            
            
            NVD: CVE-2018-7484

REFERENCES
url:https://www.securityfocus.com/archive/1/541803
Trust: 2.4
url:http://www.defensecode.com/advisories/dc-2018-02-001-purevpn-windows-privilege-escalation.pdf
Trust: 2.2
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7484
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-7484
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2018-06301 // 
            
            
            
            JVNDB: JVNDB-2018-002319 // 
            
            
            
            CNNVD: CNNVD-201802-654 // 
            
            
            
            NVD: CVE-2018-7484

SOURCES
db:CNVDid:CNVD-2018-06301
db:JVNDBid:JVNDB-2018-002319
db:CNNVDid:CNNVD-201802-654
db:NVDid:CVE-2018-7484

LAST UPDATE DATE
2024-11-23T23:08:46.536000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-06301date:2018-03-26T00:00:00
db:JVNDBid:JVNDB-2018-002319date:2018-04-09T00:00:00
db:CNNVDid:CNNVD-201802-654date:2018-02-27T00:00:00
db:NVDid:CVE-2018-7484date:2024-11-21T04:12:13.110

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-06301date:2018-03-26T00:00:00
db:JVNDBid:JVNDB-2018-002319date:2018-04-09T00:00:00
db:CNNVDid:CNNVD-201802-654date:2018-02-27T00:00:00
db:NVDid:CVE-2018-7484date:2018-02-26T02:29:00.487