[Security Bulletin] Improper Access Control Privilege Escalation Vulnerability for StellarOne

Overall Information

• Original Released Date: March 3, 2023
• Last Update Date: March 3, 2023
• Severity: High
• CVSS Score: 8.3
• CVSS Vector String: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
• CVE(If appliable): CVE-2023-25069

Description

TXOne StellarOne has an improper access control privilege escalation vulnerability in every version before V2.0.1160 that could allow a malicious, falsely authenticated user to escalate his privileges to administrator level. With these privileges, an attacker could perform actions they are not authorized to.

Please note that an attacker must obtain a low-privileged authenticated user’s profile on the target system in order to exploit this vulnerability.

Affected Version(s)

Solution

TXOne Networks has released the following solution to address the issue

Any version before the one recommended here would not suffice as a solution to this vulnerability. TXOne Networks highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.

Acknowledgement

TXOne Networks would like to thank the following individual for responsibly disclosing these issues and working with TXOne Networks to help protect our customers:

• Elias Martinez working with Trend Micro's Zero Day Initiative

External Reference(s)

• ZDI-CAN-18848

If you encounter any problems related to this vulnerability, please contact security@txone.com