SB2019092725 - Multiple vulnerabilities in Netskope client service

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Stack-based buffer overflow (CVE-ID: CVE-2019-10882)

The vulnerability allows a local user to cause a denial of service (DoS) attack on the target system.

The vulnerability exists due to a boundary error in the "doHandshakefromServer" function. A local authenticated user can trigger stack-based buffer overflow and crash the target application.

This vulnerability affects the following versions:

• Netskope client v57 before 57.2.0.219
• Netskope client v60 before 60.2.0.214

2) OS Command Injection (CVE-ID: CVE-2019-12091)

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the connection handling function. A local authenticated user can execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

This vulnerability affects the following versions:

• Netskope client v57 before 57.2.0.219
• Netskope client v60 before 60.2.0.214

Remediation

Install update from vendor's website.

References

• https://airbus-seclab.github.io/advisories/netskope.html
• https://support.netskope.com/hc/article_attachments/360033003553/Sprint_62_Release_Notes.pdf
• https://support.netskope.com/hc/en-us/articles/360014589894-Netskope-Client