Main Vulnerability Database Vulnerabilities #VU34937

Link following in K7 Ultimate Security - CVE-2019-16896

Published: December 27, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU34937

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-16896

CWE-ID: CWE-59

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: K7 Computing Pvt Ltd.

Affected software:
K7 Ultimate Security

Detailed vulnerability description

The vulnerability allows a local authenticated user to execute arbitrary code.

In K7 Ultimate Security 16.0.0117, the module K7BKCExt.dll (aka the backup module) improperly validates the administrative privileges of the user, allowing an arbitrary file write via a symbolic link attack with file restoration functionality.

How to mitigate CVE-2019-16896

Install update from vendor's website.

Sources

https://github.com/NtRaiseHardError/Antimalware-Research/blob/master/K7%20Security/Local%20Privilege%20Escalation/v16.0.0117/README.md
https://support.k7computing.com/index.php?/selfhelp/categories/Vulnerability%20Report%20and%20Advisory/29

Link following in K7 Ultimate Security - CVE-2019-16896

Detailed vulnerability description

How to mitigate CVE-2019-16896

Sources

Please verify you're human