Vulnerabilities > CVE-2019-19470 - Deserialization of Untrusted Data vulnerability in Tinywall
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Unsafe usage of .NET deserialization in Named Pipe message processing allows privilege escalation to NT AUTHORITY\SYSTEM for a local attacker. Affected product is TinyWall, all versions up to and including 2.1.12. Fixed in version 2.1.13.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://gist.github.com/pylorak/7df52c9325614676e07782dbe4e81582
- https://gist.github.com/pylorak/7df52c9325614676e07782dbe4e81582
- https://www.wilderssecurity.com/threads/beta-testing-tinywall.309739/page-62#post-2882843
- https://www.wilderssecurity.com/threads/beta-testing-tinywall.309739/page-62#post-2882843