Arbitrary code execution in Duet Display

Posted date 21/11/2023
Identificador
INCIBE-2023-0512
Importance
4 - High
Affected Resources

Duet Display for Windows 10+, version 2.5.9.1.

Description

INCIBE has coordinated the publication of one vulnerabilitiy that affects Duet Display 2.5.9.1, a remote desktop application and screen mirroring, which has been discovered by Alexander Huamán Jaimes.

This vulnerabilitiy has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE-2023-6235: CVSS v3.1: 7.8 | CVSS: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CWE-427.
Solution

There is no reported solution at this time.

Detail
  • CVE-2023-6235: an uncontrolled search path element vulnerability has been found in the Duet Display product, affecting version 2.5.9.1. An attacker could place an arbitrary libusk.dll file in the C:\Users\user\AppData\Local\Microsoft\WindowsApps\ directory, which could lead to the execution and persistence of arbitrary code.
References list
Etiquetas