Security Features in Microsoft Surface Hub

#VU25251 Security Features in Microsoft Surface Hub

Published: 2020-02-11

Vulnerability identifier: #VU25251

Vulnerability risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-0702

CWE-ID: CWE-254

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Microsoft Surface Hub
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Microsoft

Description
This vulnerability allows a local attacker to bypass security rescritions feature.

The vulnerability exists in Surface Hub when prompting for credentials. An attacker with physical access can access settings which are restricted to Administrators.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Microsoft Surface Hub: All versions

External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0702

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security feature bypass in Microsoft Surface Hub