Vulnerabilities > CVE-2019-9742 - Missing Authorization vulnerability in Gdata-Software Total Security 25.4.0.3

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

gdata-software

CWE-862

NVD

Published: 2019-03-13

Updated: 2024-11-21

Summary

gdwfpcd.sys in G Data Total Security before 2019-02-22 allows an attacker to bypass ACLs because Interpreted Device Characteristics lacks FILE_DEVICE_SECURE_OPEN and therefore files and directories "inside" the \\.\gdwfpcd device are not properly protected, leading to unintended impersonation or object creation.

Vulnerable Configurations

Part	Description	Count
Application	Gdata-Software Gdata Software Total Security 25.4.0.3	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://github.com/nafiez/nafiez.github.io/blob/master/_posts/2019-03-13-gdata-total-security-acl-bypass.md
https://nafiez.github.io/security/bypass/2019/03/12/gdata-total-security-acl-bypass.html
https://github.com/nafiez/nafiez.github.io/blob/master/_posts/2019-03-13-gdata-total-security-acl-bypass.md
https://nafiez.github.io/security/bypass/2019/03/12/gdata-total-security-acl-bypass.html