Innominate mGuard with firmware before 7.6.6 and 8.x before 8.1.4 allows remote authenticated admins to obtain root privileges by changing a PPP configuration setting.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mguard_firmware | Innominate | * | 7.6.6 (including) |
| Mguard_firmware | Innominate | 8.0.0 (including) | 8.0.0 (including) |
| Mguard_firmware | Innominate | 8.0.1 (including) | 8.0.1 (including) |
| Mguard_firmware | Innominate | 8.0.2 (including) | 8.0.2 (including) |
| Mguard_firmware | Innominate | 8.0.3 (including) | 8.0.3 (including) |
| Mguard_firmware | Innominate | 8.1.1 (including) | 8.1.1 (including) |
| Mguard_firmware | Innominate | 8.1.2 (including) | 8.1.2 (including) |
| Mguard_firmware | Innominate | 8.1.3 (including) | 8.1.3 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html
References
- http://www.innominate.com/data/downloads/software/innominate_security_advisory_20141217_001_en.pdf
- https://www.cisa.gov/news-events/ics-advisories/icsa-14-352-02
- http://www.innominate.com/data/downloads/software/innominate_security_advisory_20141217_001_en.pdf
- https://ics-cert.us-cert.gov/advisories/ICSA-14-352-02