Product Support

Vulnerability Report - Scheduled Task Potential Vulnerability

 
Unisys ID: UIS-2021-4
Status: Published
CVE-ID: CVE-2021-35056
Affected Product: Stealth(core)
Affected Version: 5.1.x. 6.0.x
Impact: MEDIUM
CVSS v3.1 Base Score: 6.0
CVSS v3.1 Vector: AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H  v3 Calculator
CVSS v2.0 Base Score: 6.2
CVSS v2.0 Vector: (AV:L/AC:L/Au:S/C:N/I:C/A:C)  v2 Calculator
CVSS Temporal Score: 4.9
Common Weakness Enumeration (CWE):  CWE-428
Common Platform Enumeration (CPE): 
Source: External Reported
Keyword(s):
Vulnerability Description:
The Unisys Stealth installation of Windows endpoint software packages creates a scheduled task in the Windows Task Scheduler that contains an executable. This installation routine introduces a risk for an unintended executable to be run instead of the intended Unisys Stealth executable that is associated with the scheduled task.
System Configuration:
Vulnerability present in any Stealth 5.1 Windows Endpoint below level 5.1.025.0, or Stealth 6.0 Windows Endpoint below level 6.0.055.0
  
Stealth versions 5.0, 4.x and 3.x are NOT effected. 
Impact of Exploiting Vulnerability:
An attacker could potentially replace the intended executable with one which could interfere with normal endpoint operations.
Remediation Description:
Vulnerability removed in these levels and higher:
 
Stealth hotfix-5.1.025.0-windows-endpoint.zip
Stealth hotfix-core-6.0.055.0-windows-endpoint.zip
 
Workaround Information:
References:
Unisys PLE 19310141
 
Vulnerability discovered by Jeff McCain.
 
Additional Vendor Comment:
 
 
 

Disclaimer:

Unisys Corporation provides the information in this Security Vulnerability Report “AS IS.” No warranties of any nature are extended by or for the information. Unisys disclaims any financial or other responsibility that may result from your use of the information, including direct, indirect, special, or consequential damages.


Paper copies are not controlled and may be out of date; reference the Product Support Web site for current data.