VDE-2022-015

Vulnerability from csaf_mieleciekg - Published: 2022-04-27 12:00 - Updated: 2022-04-27 12:00
Summary
Miele: Security vulnerability in Benchmark Programming Tool
Notes
Summary: The Miele Benchmark Programming Tool on a Microsoft Windows operating system, selects a folder by default upon installation that is writable for all users (C:\\MIELE_SERVICE). After the installation of the tool, users without administrative privileges are able to exchange or delete executable files in this path.
Mitigation: A new version (1.2.72) of the Benchmark Programming Tool, which closes the named vulnerability, is available for download on the Miele website: https://www.miele.de/p/miele-benchmark-programming-tool-2296.htm
Remediation: As a further risk-minimizing measure, the write permissions of the installation folder C:\\Miele_Service\\ Miele Benchmark Programming Tool can be adjusted so that an exchange of files is only possible with administrative permissions. This is also possible without reinstalling or updating the tool. The procedure for adjusting the permissions depends on the Microsoft Windows operating system environment used and in most cases requires administrative rights.
CVE-2022-22521

In Miele Benchmark Programming Tool with versions Prior to 1.2.71, executable files manipulated by attackers are unknowingly executed with users privileges. An attacker with low privileges may trick a user with administrative privileges to execute these binaries as admin.

7.3 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-269 - Improper Privilege Management
Workaround As a further risk-minimizing measure, the write permissions of the installation folder C:\\Miele_Service\\ Miele Benchmark Programming Tool can be adjusted so that an exchange of files is only possible with administrative permissions. This is also possible without reinstalling or updating the tool. The procedure for adjusting the permissions depends on the Microsoft Windows operating system environment used and in most cases requires administrative rights.
References
Acknowledgments
CERT@VDE certvde.com
SEC Consult Vulnerability Lab
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "organization": "SEC Consult Vulnerability Lab",
        "summary": "reporting"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The Miele Benchmark Programming Tool on a Microsoft Windows operating system, selects a folder by default upon installation that is writable for all users (C:\\\\MIELE_SERVICE). After the installation of the tool, users without administrative privileges are able to exchange or delete executable files in this path.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "A new version (1.2.72) of the Benchmark Programming Tool, which closes the named vulnerability, is available for download on the Miele website:\u00a0https://www.miele.de/p/miele-benchmark-programming-tool-2296.htm",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "As a further risk-minimizing measure, the write permissions of the installation folder C:\\\\Miele_Service\\\\ Miele Benchmark Programming Tool can be adjusted so that an exchange of files is only possible with administrative permissions. This is also possible without reinstalling or updating the tool. The procedure for adjusting the permissions depends on the Microsoft Windows operating system environment used and in most cases requires administrative rights.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@miele.com",
      "name": "Miele \u0026 Cie KG",
      "namespace": "https://www.miele.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2022-015: Miele: Security vulnerability in Benchmark Programming Tool - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2022-015/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-015: Miele: Security vulnerability in Benchmark Programming Tool - CSAF",
        "url": "https://miele.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-015.json"
      },
      {
        "category": "external",
        "summary": "Vendor PSIRT",
        "url": "https://www.miele.com"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Miele \u0026 Cie KG",
        "url": "https://certvde.com/en/advisories/vendor/miele/"
      }
    ],
    "title": "Miele: Security vulnerability in Benchmark Programming Tool",
    "tracking": {
      "aliases": [
        "VDE-2022-015"
      ],
      "current_release_date": "2022-04-27T12:00:00.000Z",
      "generator": {
        "date": "2025-04-28T10:00:03.241Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.24"
        }
      },
      "id": "VDE-2022-015",
      "initial_release_date": "2022-04-27T12:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-04-27T12:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c=1.2.71",
                    "product": {
                      "name": "Benchmark Programming Tool \u003c=1.2.71",
                      "product_id": "CSAFPID-51001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "Benchmark Programming Tool"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "Vendor"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-22521",
      "cwe": {
        "id": "CWE-269",
        "name": "Improper Privilege Management"
      },
      "notes": [
        {
          "category": "description",
          "text": "In Miele Benchmark Programming Tool with versions Prior to 1.2.71, executable files manipulated by attackers are unknowingly executed with users privileges. An attacker with low privileges may trick a user with administrative privileges to execute these binaries as admin.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "As a further risk-minimizing measure, the write permissions of the installation folder C:\\\\Miele_Service\\\\ Miele Benchmark Programming Tool can be adjusted so that an exchange of files is only possible with administrative permissions. This is also possible without reinstalling or updating the tool. The procedure for adjusting the permissions depends on the Microsoft Windows operating system environment used and in most cases requires administrative rights.",
          "product_ids": [
            "CSAFPID-51001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.3,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.3,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "CVE-2022-22521"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.