SolarWinds Dameware Mini Remote Control Unauthenticated RCE

critical Nessus Plugin ID 130458
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.9

Synopsis

The remote host is running a remote control application that is affected by a remote code execution vulnerability.

Description

The SolarWinds Dameware Mini Remote Control Client Agent running on the remote host is affected by a remote code execution vulnerability due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a series of requests, to execute arbitrary code.

Solution

The fix introduced in SolarWinds Dameware Mini Remote Control v12.1 Hotfix 3 appears to be incomplete. Please contact the vendor for a solution and possible workarounds.

See Also

http://www.nessus.org/u?fee92693

Plugin Details

Severity: Critical

ID: 130458

File Name: solarwinds_dameware_mini_remote_control_cve-2019-3980.nasl

Version: 1.5

Type: remote

Agent: windows

Family: Windows

Published: 11/1/2019

Updated: 2/2/2021

Dependencies: find_service2.nasl, solarwinds_dameware_mini_remote_control_cve-2019-3956.nasl

Risk Information

Risk Factor: Critical

VPR Score: 5.9

CVSS Score Source: CVE-2019-3980

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:dameware:mini_remote_control

Exploit Ease: No known exploits are available

Patch Publication Date: 10/18/2019

Vulnerability Publication Date: 10/8/2019

Reference Information

CVE: CVE-2019-3980

TRA: TRA-2019-43

IAVA: 2020-A-0392